From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 15:26:10 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.103~138 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f0527bed6271a416e19d346551aa229f544f3f5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-dummy-fix-pcm-format-loop-in-proc-output.patch brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-legacy-set-max_speed-to-super-speed.patch --- diff --git a/queue-4.4/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch b/queue-4.4/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch new file mode 100644 index 00000000000..d571e8bab80 --- /dev/null +++ b/queue-4.4/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch @@ -0,0 +1,33 @@ +From 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 1 Feb 2020 09:05:30 +0100 +Subject: ALSA: dummy: Fix PCM format loop in proc output + +From: Takashi Iwai + +commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream. + +The loop termination for iterating over all formats should contain +SNDRV_PCM_FORMAT_LAST, not less than it. + +Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file") +Cc: +Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/dummy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -925,7 +925,7 @@ static void print_formats(struct snd_dum + { + int i; + +- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) { ++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) { + if (dummy->pcm_hw.formats & (1ULL << i)) + snd_iprintf(buffer, " %s", snd_pcm_format_name(i)); + } diff --git a/queue-4.4/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch b/queue-4.4/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch new file mode 100644 index 00000000000..7ad5866b18b --- /dev/null +++ b/queue-4.4/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch @@ -0,0 +1,32 @@ +From 4282dc057d750c6a7dd92953564b15c26b54c22c Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Sat, 14 Dec 2019 19:51:14 -0600 +Subject: brcmfmac: Fix memory leak in brcmf_usbdev_qinit + +From: Navid Emamdoost + +commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream. + +In the implementation of brcmf_usbdev_qinit() the allocated memory for +reqs is leaking if usb_alloc_urb() fails. Release reqs in the error +handling path. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c +@@ -426,6 +426,7 @@ fail: + usb_free_urb(req->urb); + list_del(q->next); + } ++ kfree(reqs); + return NULL; + + } diff --git a/queue-4.4/series b/queue-4.4/series index 5a7dcd2ae75..8f8de036389 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,8 @@ tcp-clear-tp-total_retrans-in-tcp_disconnect.patch tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb-descriptors.patch mfd-dln2-more-sanity-checking-for-endpoints.patch +brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch +usb-gadget-legacy-set-max_speed-to-super-speed.patch +usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch +usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch +alsa-dummy-fix-pcm-format-loop-in-proc-output.patch diff --git a/queue-4.4/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch b/queue-4.4/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch new file mode 100644 index 00000000000..1af1057933f --- /dev/null +++ b/queue-4.4/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch @@ -0,0 +1,91 @@ +From d710562e01c48d59be3f60d58b7a85958b39aeda Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Jan 2020 13:17:22 +0000 +Subject: usb: gadget: f_ecm: Use atomic_t to track in-flight request + +From: Bryan O'Donoghue + +commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream. + +Currently ecm->notify_req is used to flag when a request is in-flight. +ecm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the ECM driver will +unconditionally free ecm->notify_req leading to a NULL pointer dereference. + +Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function") +Cc: stable +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_ecm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -56,6 +56,7 @@ struct f_ecm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + /* FIXME is_open needs some irq-ish locking +@@ -384,7 +385,7 @@ static void ecm_do_notify(struct f_ecm * + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ecm->notify_count)) + return; + + event = req->buf; +@@ -424,10 +425,10 @@ static void ecm_do_notify(struct f_ecm * + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ecm->ctrl_id); + +- ecm->notify_req = NULL; ++ atomic_inc(&ecm->notify_count); + status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC); + if (status < 0) { +- ecm->notify_req = req; ++ atomic_dec(&ecm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -452,17 +453,19 @@ static void ecm_notify_complete(struct u + switch (req->status) { + case 0: + /* no fault */ ++ atomic_dec(&ecm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ecm->notify_count, 0); + ecm->notify_state = ECM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ecm->notify_count); + break; + } +- ecm->notify_req = req; + ecm_do_notify(ecm); + } + +@@ -909,6 +912,11 @@ static void ecm_unbind(struct usb_config + + usb_free_all_descriptors(f); + ++ if (atomic_read(&ecm->notify_count)) { ++ usb_ep_dequeue(ecm->notify, ecm->notify_req); ++ atomic_set(&ecm->notify_count, 0); ++ } ++ + kfree(ecm->notify_req->buf); + usb_ep_free_request(ecm->notify, ecm->notify_req); + } diff --git a/queue-4.4/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch b/queue-4.4/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch new file mode 100644 index 00000000000..0b2e6f60a23 --- /dev/null +++ b/queue-4.4/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch @@ -0,0 +1,97 @@ +From 5b24c28cfe136597dc3913e1c00b119307a20c7e Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 9 Jan 2020 13:17:21 +0000 +Subject: usb: gadget: f_ncm: Use atomic_t to track in-flight request + +From: Bryan O'Donoghue + +commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream. + +Currently ncm->notify_req is used to flag when a request is in-flight. +ncm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the NCM driver will +unconditionally free ncm->notify_req leading to a NULL pointer dereference. + +Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility") +Cc: stable +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_ncm.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -57,6 +57,7 @@ struct f_ncm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + const struct ndp_parser_opts *parser_opts; +@@ -480,7 +481,7 @@ static void ncm_do_notify(struct f_ncm * + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ncm->notify_count)) + return; + + event = req->buf; +@@ -520,7 +521,8 @@ static void ncm_do_notify(struct f_ncm * + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ncm->ctrl_id); + +- ncm->notify_req = NULL; ++ atomic_inc(&ncm->notify_count); ++ + /* + * In double buffering if there is a space in FIFO, + * completion callback can be called right after the call, +@@ -530,7 +532,7 @@ static void ncm_do_notify(struct f_ncm * + status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC); + spin_lock(&ncm->lock); + if (status < 0) { +- ncm->notify_req = req; ++ atomic_dec(&ncm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -565,17 +567,19 @@ static void ncm_notify_complete(struct u + case 0: + VDBG(cdev, "Notification %02x sent\n", + event->bNotificationType); ++ atomic_dec(&ncm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ncm->notify_count, 0); + ncm->notify_state = NCM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ncm->notify_count); + break; + } +- ncm->notify_req = req; + ncm_do_notify(ncm); + spin_unlock(&ncm->lock); + } +@@ -1559,6 +1563,11 @@ static void ncm_unbind(struct usb_config + ncm_string_defs[0].id = 0; + usb_free_all_descriptors(f); + ++ if (atomic_read(&ncm->notify_count)) { ++ usb_ep_dequeue(ncm->notify, ncm->notify_req); ++ atomic_set(&ncm->notify_count, 0); ++ } ++ + kfree(ncm->notify_req->buf); + usb_ep_free_request(ncm->notify, ncm->notify_req); + } diff --git a/queue-4.4/usb-gadget-legacy-set-max_speed-to-super-speed.patch b/queue-4.4/usb-gadget-legacy-set-max_speed-to-super-speed.patch new file mode 100644 index 00000000000..105fdeaa3c3 --- /dev/null +++ b/queue-4.4/usb-gadget-legacy-set-max_speed-to-super-speed.patch @@ -0,0 +1,68 @@ +From 463f67aec2837f981b0a0ce8617721ff59685c00 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Mon, 23 Dec 2019 08:47:35 +0200 +Subject: usb: gadget: legacy: set max_speed to super-speed + +From: Roger Quadros + +commit 463f67aec2837f981b0a0ce8617721ff59685c00 upstream. + +These interfaces do support super-speed so let's not +limit maximum speed to high-speed. + +Cc: +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/cdc2.c | 2 +- + drivers/usb/gadget/legacy/g_ffs.c | 2 +- + drivers/usb/gadget/legacy/multi.c | 2 +- + drivers/usb/gadget/legacy/ncm.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/legacy/cdc2.c ++++ b/drivers/usb/gadget/legacy/cdc2.c +@@ -229,7 +229,7 @@ static struct usb_composite_driver cdc_d + .name = "g_cdc", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = cdc_bind, + .unbind = cdc_unbind, + }; +--- a/drivers/usb/gadget/legacy/g_ffs.c ++++ b/drivers/usb/gadget/legacy/g_ffs.c +@@ -153,7 +153,7 @@ static struct usb_composite_driver gfs_d + .name = DRIVER_NAME, + .dev = &gfs_dev_desc, + .strings = gfs_dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = gfs_bind, + .unbind = gfs_unbind, + }; +--- a/drivers/usb/gadget/legacy/multi.c ++++ b/drivers/usb/gadget/legacy/multi.c +@@ -486,7 +486,7 @@ static struct usb_composite_driver multi + .name = "g_multi", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = multi_bind, + .unbind = multi_unbind, + .needs_serial = 1, +--- a/drivers/usb/gadget/legacy/ncm.c ++++ b/drivers/usb/gadget/legacy/ncm.c +@@ -203,7 +203,7 @@ static struct usb_composite_driver ncm_d + .name = "g_ncm", + .dev = &device_desc, + .strings = dev_strings, +- .max_speed = USB_SPEED_HIGH, ++ .max_speed = USB_SPEED_SUPER, + .bind = gncm_bind, + .unbind = gncm_unbind, + };