From: Greg Kroah-Hartman Date: Wed, 15 Mar 2017 07:58:35 +0000 (+0800) Subject: 4.4-stable patches X-Git-Tag: v4.4.55~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e65ba71745211a6c7e7fbb8e3a315cd0758138d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: powerpc-emulation-support-for-load-store-instructions-on-le.patch serial-samsung-continue-to-work-if-dma-request-fails.patch tracing-add-undef-to-fix-compile-error.patch usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch usb-gadget-function-f_fs-pass-companion-descriptor-along.patch usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch usb-iowarrior-fix-null-deref-at-probe.patch usb-iowarrior-fix-null-deref-in-write.patch usb-serial-io_ti-fix-information-leak-in-completion-handler.patch usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch usb-serial-omninet-fix-reference-leaks-at-open.patch usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch --- diff --git a/queue-4.4/powerpc-emulation-support-for-load-store-instructions-on-le.patch b/queue-4.4/powerpc-emulation-support-for-load-store-instructions-on-le.patch new file mode 100644 index 00000000000..f1a0f745437 --- /dev/null +++ b/queue-4.4/powerpc-emulation-support-for-load-store-instructions-on-le.patch @@ -0,0 +1,110 @@ +From e148bd17f48bd17fca2f4f089ec879fa6e47e34c Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 14 Feb 2017 14:46:42 +0530 +Subject: powerpc: Emulation support for load/store instructions on LE + +From: Ravi Bangoria + +commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream. + +emulate_step() uses a number of underlying kernel functions that were +initially not enabled for LE. This has been rectified since. So, fix +emulate_step() for LE for the corresponding instructions. + +Reported-by: Anton Blanchard +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -1806,8 +1806,6 @@ int __kprobes emulate_step(struct pt_reg + goto instr_done; + + case LARX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1829,8 +1827,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case STCX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1854,8 +1850,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case LOAD: +- if (regs->msr & MSR_LE) +- return 0; + err = read_mem(®s->gpr[op.reg], op.ea, size, regs); + if (!err) { + if (op.type & SIGNEXT) +@@ -1867,8 +1861,6 @@ int __kprobes emulate_step(struct pt_reg + + #ifdef CONFIG_PPC_FPU + case LOAD_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_load(op.reg, do_lfs, op.ea, size, regs); + else +@@ -1877,15 +1869,11 @@ int __kprobes emulate_step(struct pt_reg + #endif + #ifdef CONFIG_ALTIVEC + case LOAD_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case LOAD_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs); + goto ldst_done; + #endif +@@ -1908,8 +1896,6 @@ int __kprobes emulate_step(struct pt_reg + goto instr_done; + + case STORE: +- if (regs->msr & MSR_LE) +- return 0; + if ((op.type & UPDATE) && size == sizeof(long) && + op.reg == 1 && op.update_reg == 1 && + !(regs->msr & MSR_PR) && +@@ -1922,8 +1908,6 @@ int __kprobes emulate_step(struct pt_reg + + #ifdef CONFIG_PPC_FPU + case STORE_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_store(op.reg, do_stfs, op.ea, size, regs); + else +@@ -1932,15 +1916,11 @@ int __kprobes emulate_step(struct pt_reg + #endif + #ifdef CONFIG_ALTIVEC + case STORE_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case STORE_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs); + goto ldst_done; + #endif diff --git a/queue-4.4/serial-samsung-continue-to-work-if-dma-request-fails.patch b/queue-4.4/serial-samsung-continue-to-work-if-dma-request-fails.patch new file mode 100644 index 00000000000..14e8f2a678d --- /dev/null +++ b/queue-4.4/serial-samsung-continue-to-work-if-dma-request-fails.patch @@ -0,0 +1,49 @@ +From f98c7bce570bdbe344b74ff5daa7dfeef3f22929 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 25 Feb 2017 18:36:44 +0200 +Subject: serial: samsung: Continue to work if DMA request fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +commit f98c7bce570bdbe344b74ff5daa7dfeef3f22929 upstream. + +If DMA is not available (even when configured in DeviceTree), the driver +will fail the startup procedure thus making serial console not +available. + +For example this causes boot failure on QEMU ARMv7 (Exynos4210, SMDKC210): + [    1.302575] OF: amba_device_add() failed (-19) for /amba/pdma@12680000 + ... + [   11.435732] samsung-uart 13800000.serial: DMA request failed + [   72.963893] samsung-uart 13800000.serial: DMA request failed + [   73.143361] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000 + +DMA is not necessary for serial to work, so continue with UART startup +after emitting a warning. + +Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/samsung.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1030,8 +1030,10 @@ static int s3c64xx_serial_startup(struct + if (ourport->dma) { + ret = s3c24xx_serial_request_dma(ourport); + if (ret < 0) { +- dev_warn(port->dev, "DMA request failed\n"); +- return ret; ++ dev_warn(port->dev, ++ "DMA request failed, DMA will not be used\n"); ++ devm_kfree(port->dev, ourport->dma); ++ ourport->dma = NULL; + } + } + diff --git a/queue-4.4/series b/queue-4.4/series index 1d57138eee4..4b606492a74 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -14,3 +14,17 @@ cpmac-remove-hopeless-warning.patch mm-memcontrol-avoid-unused-function-warning.patch mips-dec-avoid-la-pseudo-instruction-in-delay-slots.patch mips-netlogic-fix-cp0_ebase-redefinition-warnings.patch +tracing-add-undef-to-fix-compile-error.patch +powerpc-emulation-support-for-load-store-instructions-on-le.patch +usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch +usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch +usb-gadget-function-f_fs-pass-companion-descriptor-along.patch +usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch +usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch +usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch +usb-serial-omninet-fix-reference-leaks-at-open.patch +usb-iowarrior-fix-null-deref-at-probe.patch +usb-iowarrior-fix-null-deref-in-write.patch +usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch +usb-serial-io_ti-fix-information-leak-in-completion-handler.patch +serial-samsung-continue-to-work-if-dma-request-fails.patch diff --git a/queue-4.4/tracing-add-undef-to-fix-compile-error.patch b/queue-4.4/tracing-add-undef-to-fix-compile-error.patch new file mode 100644 index 00000000000..94914075d1f --- /dev/null +++ b/queue-4.4/tracing-add-undef-to-fix-compile-error.patch @@ -0,0 +1,39 @@ +From bf7165cfa23695c51998231c4efa080fe1d3548d Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Wed, 28 Sep 2016 22:55:54 -0400 +Subject: tracing: Add #undef to fix compile error + +From: Rik van Riel + +commit bf7165cfa23695c51998231c4efa080fe1d3548d upstream. + +There are several trace include files that define TRACE_INCLUDE_FILE. + +Include several of them in the same .c file (as I currently have in +some code I am working on), and the compile will blow up with a +"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls" + +Every other include file in include/trace/events/ avoids that issue +by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h +should have one, too. + +Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com + +Fixes: b8007ef74222 ("tracing: Separate raw syscall from syscall tracer") +Signed-off-by: Rik van Riel +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/syscalls.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/trace/events/syscalls.h ++++ b/include/trace/events/syscalls.h +@@ -1,5 +1,6 @@ + #undef TRACE_SYSTEM + #define TRACE_SYSTEM raw_syscalls ++#undef TRACE_INCLUDE_FILE + #define TRACE_INCLUDE_FILE syscalls + + #if !defined(_TRACE_EVENTS_SYSCALLS_H) || defined(TRACE_HEADER_MULTI_READ) diff --git a/queue-4.4/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch b/queue-4.4/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch new file mode 100644 index 00000000000..b1de3010b03 --- /dev/null +++ b/queue-4.4/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch @@ -0,0 +1,61 @@ +From 7369090a9fb57c3fc705ce355d2e4523a5a24716 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Tue, 31 Jan 2017 13:24:54 +0200 +Subject: usb: dwc3: gadget: make Set Endpoint Configuration macros safe + +From: Felipe Balbi + +commit 7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream. + +Some gadget drivers are bad, bad boys. We notice +that ADB was passing bad Burst Size which caused top +bits of param0 to be overwritten which confused DWC3 +when running this command. + +In order to avoid future issues, we're going to make +sure values passed by macros are always safe for the +controller. Note that ADB still needs a fix to *not* +pass bad values. + +Reported-by: Mohamed Abbas +Sugested-by: Adam Andruszak +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.h | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/dwc3/gadget.h ++++ b/drivers/usb/dwc3/gadget.h +@@ -28,23 +28,23 @@ struct dwc3; + #define gadget_to_dwc(g) (container_of(g, struct dwc3, gadget)) + + /* DEPCFG parameter 1 */ +-#define DWC3_DEPCFG_INT_NUM(n) ((n) << 0) ++#define DWC3_DEPCFG_INT_NUM(n) (((n) & 0x1f) << 0) + #define DWC3_DEPCFG_XFER_COMPLETE_EN (1 << 8) + #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN (1 << 9) + #define DWC3_DEPCFG_XFER_NOT_READY_EN (1 << 10) + #define DWC3_DEPCFG_FIFO_ERROR_EN (1 << 11) + #define DWC3_DEPCFG_STREAM_EVENT_EN (1 << 13) +-#define DWC3_DEPCFG_BINTERVAL_M1(n) ((n) << 16) ++#define DWC3_DEPCFG_BINTERVAL_M1(n) (((n) & 0xff) << 16) + #define DWC3_DEPCFG_STREAM_CAPABLE (1 << 24) +-#define DWC3_DEPCFG_EP_NUMBER(n) ((n) << 25) ++#define DWC3_DEPCFG_EP_NUMBER(n) (((n) & 0x1f) << 25) + #define DWC3_DEPCFG_BULK_BASED (1 << 30) + #define DWC3_DEPCFG_FIFO_BASED (1 << 31) + + /* DEPCFG parameter 0 */ +-#define DWC3_DEPCFG_EP_TYPE(n) ((n) << 1) +-#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) ((n) << 3) +-#define DWC3_DEPCFG_FIFO_NUMBER(n) ((n) << 17) +-#define DWC3_DEPCFG_BURST_SIZE(n) ((n) << 22) ++#define DWC3_DEPCFG_EP_TYPE(n) (((n) & 0x3) << 1) ++#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) (((n) & 0x7ff) << 3) ++#define DWC3_DEPCFG_FIFO_NUMBER(n) (((n) & 0x1f) << 17) ++#define DWC3_DEPCFG_BURST_SIZE(n) (((n) & 0xf) << 22) + #define DWC3_DEPCFG_DATA_SEQ_NUM(n) ((n) << 26) + /* This applies for core versions earlier than 1.94a */ + #define DWC3_DEPCFG_IGN_SEQ_NUM (1 << 31) diff --git a/queue-4.4/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch b/queue-4.4/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch new file mode 100644 index 00000000000..190184acd7d --- /dev/null +++ b/queue-4.4/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch @@ -0,0 +1,81 @@ +From 5bbc852676ae08e818241cf66a3ffe4be44225c4 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 28 Feb 2017 14:25:45 +0800 +Subject: usb: gadget: dummy_hcd: clear usb_gadget region before registration + +From: Peter Chen + +commit 5bbc852676ae08e818241cf66a3ffe4be44225c4 upstream. + +When the user does device unbind and rebind test, the kernel will +show below dump due to usb_gadget memory region is dirty after unbind. +Clear usb_gadget region for every new probe. + +root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind +[ 102.523312] kobject (eddd78b0): tried to init an initialized object, something is seriously wrong. +[ 102.532447] CPU: 0 PID: 734 Comm: sh Not tainted 4.10.0-rc7-00872-g1b2b8e9 #1298 +[ 102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree) +[ 102.545717] Backtrace: +[ 102.548225] [] (dump_backtrace) from [] (show_stack+0x18/0x1c) +[ 102.555822] r7:ede34000 r6:60010013 r5:00000000 r4:c0f29418 +[ 102.561512] [] (show_stack) from [] (dump_stack+0xb4/0xe8) +[ 102.568764] [] (dump_stack) from [] (kobject_init+0x80/0x9c) +[ 102.576187] r10:0000001f r9:eddd7000 r8:eeaf8c10 r7:eddd78a8 r6:c177891c r5:c0f3b060 +[ 102.584036] r4:eddd78b0 r3:00000000 +[ 102.587641] [] (kobject_init) from [] (device_initialize+0x28/0xf8) +[ 102.595665] r5:eebc4800 r4:eddd78a8 +[ 102.599268] [] (device_initialize) from [] (device_register+0x14/0x20) +[ 102.607556] r7:eddd78a8 r6:00000000 r5:eebc4800 r4:eddd78a8 +[ 102.613256] [] (device_register) from [] (usb_add_gadget_udc_release+0x8c/0x1ec) +[ 102.622410] r5:eebc4800 r4:eddd7860 +[ 102.626015] [] (usb_add_gadget_udc_release) from [] (usb_add_gadget_udc+0x14/0x18) +[ 102.635351] r10:0000001f r9:eddd7000 r8:eddd788c r7:bf003770 r6:eddd77f8 r5:eddd7818 +[ 102.643198] r4:eddd785c r3:eddd7b24 +[ 102.646834] [] (usb_add_gadget_udc) from [] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd]) +[ 102.656458] [] (dummy_udc_probe [dummy_hcd]) from [] (platform_drv_probe+0x54/0xb8) +[ 102.665881] r10:00000008 r9:c1778960 r8:bf004128 r7:fffffdfb r6:bf004128 r5:eeaf8c10 +[ 102.673727] r4:eeaf8c10 +[ 102.676293] [] (platform_drv_probe) from [] (driver_probe_device+0x264/0x474) +[ 102.685186] r7:00000000 r6:00000000 r5:c1778960 r4:eeaf8c10 +[ 102.690876] [] (driver_probe_device) from [] (bind_store+0xb8/0x14c) +[ 102.698994] r10:eeb3bb4c r9:ede34000 r8:0000000c r7:eeaf8c44 r6:bf004128 r5:c0f3b668 +[ 102.706840] r4:eeaf8c10 +[ 102.709402] [] (bind_store) from [] (drv_attr_store+0x28/0x34) +[ 102.716998] r9:ede34000 r8:00000000 r7:ee3863c0 r6:ee3863c0 r5:c0538c80 r4:c053970c +[ 102.724776] [] (drv_attr_store) from [] (sysfs_kf_write+0x50/0x54) +[ 102.732711] r5:c0538c80 r4:0000000c +[ 102.736313] [] (sysfs_kf_write) from [] (kernfs_fop_write+0x100/0x214) +[ 102.744599] r7:ee3863c0 r6:eeb3bb40 r5:00000000 r4:00000000 +[ 102.750287] [] (kernfs_fop_write) from [] (__vfs_write+0x34/0x120) +[ 102.758231] r10:00000000 r9:ede34000 r8:c0108bc4 r7:0000000c r6:ede35f80 r5:c029bd84 +[ 102.766077] r4:ee223780 +[ 102.768638] [] (__vfs_write) from [] (vfs_write+0xa8/0x170) +[ 102.775974] r9:ede34000 r8:c0108bc4 r7:ede35f80 r6:01861cb0 r5:ee223780 r4:0000000c +[ 102.783743] [] (vfs_write) from [] (SyS_write+0x4c/0xa8) +[ 102.790818] r9:ede34000 r8:c0108bc4 r7:0000000c r6:01861cb0 r5:ee223780 r4:ee223780 +[ 102.798595] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) +[ 102.806188] r7:00000004 r6:b6e83d58 r5:01861cb0 r4:0000000c + +Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") +Acked-by: Alan Stern +Signed-off-by: Peter Chen +Tested-by: Xiaolong Ye +Reported-by: Fengguang Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -1033,6 +1033,8 @@ static int dummy_udc_probe(struct platfo + int rc; + + dum = *((void **)dev_get_platdata(&pdev->dev)); ++ /* Clear usb_gadget region for new registration to udc-core */ ++ memzero_explicit(&dum->gadget, sizeof(struct usb_gadget)); + dum->gadget.name = gadget_name; + dum->gadget.ops = &dummy_ops; + dum->gadget.max_speed = USB_SPEED_SUPER; diff --git a/queue-4.4/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch b/queue-4.4/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch new file mode 100644 index 00000000000..87444488a9a --- /dev/null +++ b/queue-4.4/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch @@ -0,0 +1,57 @@ +From 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Tue, 31 Jan 2017 14:54:45 +0200 +Subject: usb: gadget: function: f_fs: pass companion descriptor along + +From: Felipe Balbi + +commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 upstream. + +If we're dealing with SuperSpeed endpoints, we need +to make sure to pass along the companion descriptor +and initialize fields needed by the Gadget +API. Eventually, f_fs.c should be converted to use +config_ep_by_speed() like all other functions, +though. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1643,11 +1643,14 @@ static int ffs_func_eps_enable(struct ff + spin_lock_irqsave(&func->ffs->eps_lock, flags); + do { + struct usb_endpoint_descriptor *ds; ++ struct usb_ss_ep_comp_descriptor *comp_desc = NULL; ++ int needs_comp_desc = false; + int desc_idx; + +- if (ffs->gadget->speed == USB_SPEED_SUPER) ++ if (ffs->gadget->speed == USB_SPEED_SUPER) { + desc_idx = 2; +- else if (ffs->gadget->speed == USB_SPEED_HIGH) ++ needs_comp_desc = true; ++ } else if (ffs->gadget->speed == USB_SPEED_HIGH) + desc_idx = 1; + else + desc_idx = 0; +@@ -1664,6 +1667,14 @@ static int ffs_func_eps_enable(struct ff + + ep->ep->driver_data = ep; + ep->ep->desc = ds; ++ ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; ++ ++ if (needs_comp_desc) ++ ep->ep->comp_desc = comp_desc; ++ + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) { + epfile->ep = ep; diff --git a/queue-4.4/usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch b/queue-4.4/usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch new file mode 100644 index 00000000000..c04d2407adc --- /dev/null +++ b/queue-4.4/usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch @@ -0,0 +1,34 @@ +From f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Thu, 9 Mar 2017 15:39:36 +0200 +Subject: usb: host: xhci-dbg: HCIVERSION should be a binary number + +From: Peter Chen + +commit f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 upstream. + +According to xHCI spec, HCIVERSION containing a BCD encoding +of the xHCI specification revision number, 0100h corresponds +to xHCI version 1.0. Change "100" as "0x100". + +Cc: Lu Baolu +Fixes: 04abb6de2825 ("xhci: Read and parse new xhci 1.1 capability register") +Signed-off-by: Peter Chen +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-dbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-dbg.c ++++ b/drivers/usb/host/xhci-dbg.c +@@ -111,7 +111,7 @@ static void xhci_print_cap_regs(struct x + xhci_dbg(xhci, "RTSOFF 0x%x:\n", temp & RTSOFF_MASK); + + /* xhci 1.1 controllers have the HCCPARAMS2 register */ +- if (hci_version > 100) { ++ if (hci_version > 0x100) { + temp = readl(&xhci->cap_regs->hcc_params2); + xhci_dbg(xhci, "HCC PARAMS2 0x%x:\n", (unsigned int) temp); + xhci_dbg(xhci, " HC %s Force save context capability", diff --git a/queue-4.4/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch b/queue-4.4/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch new file mode 100644 index 00000000000..574199920bf --- /dev/null +++ b/queue-4.4/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch @@ -0,0 +1,42 @@ +From dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 9 Mar 2017 15:39:37 +0200 +Subject: usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers + +From: Guenter Roeck + +commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream. + +Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of +PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI +xhci controllers which can result in excessive timeouts, to the point where +the system reports a deadlock. + +The same problem is seen with hot pluggable xhci controllers using the +xhci-plat driver, such as the driver used for Type-C ports on rk3399. +Similar to hot-pluggable PCI controllers, the driver for this chip +removes the xhci controller from the system when the Type-C cable is +disconnected. + +The solution for PCI devices works just as well for non-PCI devices +and avoids the problem. + +Signed-off-by: Guenter Roeck +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -213,6 +213,8 @@ static int xhci_plat_remove(struct platf + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + struct clk *clk = xhci->clk; + ++ xhci->xhc_state |= XHCI_STATE_REMOVING; ++ + usb_remove_hcd(xhci->shared_hcd); + usb_phy_shutdown(hcd->usb_phy); + diff --git a/queue-4.4/usb-iowarrior-fix-null-deref-at-probe.patch b/queue-4.4/usb-iowarrior-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..81a49098576 --- /dev/null +++ b/queue-4.4/usb-iowarrior-fix-null-deref-at-probe.patch @@ -0,0 +1,55 @@ +From b7321e81fc369abe353cf094d4f0dc2fe11ab95f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 16:11:03 +0100 +Subject: USB: iowarrior: fix NULL-deref at probe + +From: Johan Hovold + +commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream. + +Make sure to check for the required interrupt-in endpoint to avoid +dereferencing a NULL-pointer should a malicious device lack such an +endpoint. + +Note that a fairly recent change purported to fix this issue, but added +an insufficient test on the number of endpoints only, a test which can +now be removed. + +Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors") +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_in + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + +- if (iface_desc->desc.bNumEndpoints < 1) { +- dev_err(&interface->dev, "Invalid number of endpoints\n"); +- retval = -EINVAL; +- goto error; +- } +- + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_in + /* this one will match for the IOWarrior56 only */ + dev->int_out_endpoint = endpoint; + } ++ ++ if (!dev->int_in_endpoint) { ++ dev_err(&interface->dev, "no interrupt-in endpoint found\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); + if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && diff --git a/queue-4.4/usb-iowarrior-fix-null-deref-in-write.patch b/queue-4.4/usb-iowarrior-fix-null-deref-in-write.patch new file mode 100644 index 00000000000..30b7799556a --- /dev/null +++ b/queue-4.4/usb-iowarrior-fix-null-deref-in-write.patch @@ -0,0 +1,38 @@ +From de46e56653de7b3b54baa625bd582635008b8d05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 16:11:04 +0100 +Subject: USB: iowarrior: fix NULL-deref in write + +From: Johan Hovold + +commit de46e56653de7b3b54baa625bd582635008b8d05 upstream. + +Make sure to verify that we have the required interrupt-out endpoint for +IOWarrior56 devices to avoid dereferencing a NULL-pointer in write +should a malicious device lack such an endpoint. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -804,6 +804,14 @@ static int iowarrior_probe(struct usb_in + goto error; + } + ++ if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) { ++ if (!dev->int_out_endpoint) { ++ dev_err(&interface->dev, "no interrupt-out endpoint found\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ } ++ + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); + if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && diff --git a/queue-4.4/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch b/queue-4.4/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch new file mode 100644 index 00000000000..512f97acdbd --- /dev/null +++ b/queue-4.4/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch @@ -0,0 +1,35 @@ +From 654b404f2a222f918af9b0cd18ad469d0c941a8e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:40 +0100 +Subject: USB: serial: io_ti: fix information leak in completion handler + +From: Johan Hovold + +commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream. + +Add missing sanity check to the bulk-in completion handler to avoid an +integer underflow that can be triggered by a malicious device. + +This avoids leaking 128 kB of memory content from after the URB transfer +buffer to user space. + +Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -1761,7 +1761,7 @@ static void edge_bulk_in_callback(struct + + port_number = edge_port->port->port_number; + +- if (edge_port->lsr_event) { ++ if (urb->actual_length > 0 && edge_port->lsr_event) { + edge_port->lsr_event = 0; + dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n", + __func__, port_number, edge_port->lsr_mask, *data); diff --git a/queue-4.4/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch b/queue-4.4/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch new file mode 100644 index 00000000000..fc04369275e --- /dev/null +++ b/queue-4.4/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch @@ -0,0 +1,36 @@ +From 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:37 +0100 +Subject: USB: serial: io_ti: fix NULL-deref in interrupt callback + +From: Johan Hovold + +commit 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream. + +Fix a NULL-pointer dereference in the interrupt callback should a +malicious device send data containing a bad port number by adding the +missing sanity check. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -1674,6 +1674,12 @@ static void edge_interrupt_callback(stru + function = TIUMP_GET_FUNC_FROM_CODE(data[0]); + dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__, + port_number, function, data[1]); ++ ++ if (port_number >= edge_serial->serial->num_ports) { ++ dev_err(dev, "bad port number %d\n", port_number); ++ goto exit; ++ } ++ + port = edge_serial->serial->port[port_number]; + edge_port = usb_get_serial_port_data(port); + if (!edge_port) { diff --git a/queue-4.4/usb-serial-omninet-fix-reference-leaks-at-open.patch b/queue-4.4/usb-serial-omninet-fix-reference-leaks-at-open.patch new file mode 100644 index 00000000000..800b9233f23 --- /dev/null +++ b/queue-4.4/usb-serial-omninet-fix-reference-leaks-at-open.patch @@ -0,0 +1,37 @@ +From 30572418b445d85fcfe6c8fe84c947d2606767d8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:38 +0100 +Subject: USB: serial: omninet: fix reference leaks at open + +From: Johan Hovold + +commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream. + +This driver needlessly took another reference to the tty on open, a +reference which was then never released on close. This lead to not just +a leak of the tty, but also a driver reference leak that prevented the +driver from being unloaded after a port had once been opened. + +Fixes: 4a90f09b20f4 ("tty: usb-serial krefs") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/omninet.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -142,12 +142,6 @@ static int omninet_port_remove(struct us + + static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port) + { +- struct usb_serial *serial = port->serial; +- struct usb_serial_port *wport; +- +- wport = serial->port[1]; +- tty_port_tty_set(&wport->port, tty); +- + return usb_serial_generic_open(tty, port); + } + diff --git a/queue-4.4/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch b/queue-4.4/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch new file mode 100644 index 00000000000..7d6b982e44b --- /dev/null +++ b/queue-4.4/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch @@ -0,0 +1,37 @@ +From 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:41 +0100 +Subject: USB: serial: safe_serial: fix information leak in completion handler + +From: Johan Hovold + +commit 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream. + +Add missing sanity check to the bulk-in completion handler to avoid an +integer underflow that could be triggered by a malicious device. + +This avoids leaking up to 56 bytes from after the URB transfer buffer to +user space. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/safe_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/safe_serial.c ++++ b/drivers/usb/serial/safe_serial.c +@@ -205,6 +205,11 @@ static void safe_process_read_urb(struct + if (!safe) + goto out; + ++ if (length < 2) { ++ dev_err(&port->dev, "malformed packet\n"); ++ return; ++ } ++ + fcs = fcs_compute10(data, length, CRC10_INITFCS); + if (fcs) { + dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs);