From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 11 Jan 2020 09:39:13 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.209~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65e69d4061a7b12c55f0c6d411bc9f0aa400f371;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	usb-core-fix-check-for-duplicate-endpoints.patch
	usb-dwc3-gadget-fix-request-complete-check.patch
	usb-missing-parentheses-in-use_new_scheme.patch
	usb-serial-option-add-telit-me910g1-0x110a-composition.patch
---

diff --git a/queue-5.4/series b/queue-5.4/series
index a88654fb5ea..1ca3bf7077e 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -159,3 +159,7 @@ net-mlx5e-always-print-health-reporter-message-to-dmesg.patch
 net-mlx5-dr-no-need-for-atomic-refcount-for-internal-sw-steering-resources.patch
 net-mlx5e-fix-hairpin-rss-table-size.patch
 net-mlx5-dr-init-lists-that-are-used-in-rule-s-member.patch
+usb-dwc3-gadget-fix-request-complete-check.patch
+usb-core-fix-check-for-duplicate-endpoints.patch
+usb-serial-option-add-telit-me910g1-0x110a-composition.patch
+usb-missing-parentheses-in-use_new_scheme.patch
diff --git a/queue-5.4/usb-core-fix-check-for-duplicate-endpoints.patch b/queue-5.4/usb-core-fix-check-for-duplicate-endpoints.patch
new file mode 100644
index 00000000000..145cd44d6fe
--- /dev/null
+++ b/queue-5.4/usb-core-fix-check-for-duplicate-endpoints.patch
@@ -0,0 +1,128 @@
+From 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Dec 2019 17:10:16 +0100
+Subject: USB: core: fix check for duplicate endpoints
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff upstream.
+
+Amend the endpoint-descriptor sanity checks to detect all duplicate
+endpoint addresses in a configuration.
+
+Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint
+addresses") added a check for duplicate endpoint addresses within a
+single alternate setting, but did not look for duplicate addresses in
+other interfaces.
+
+The current check would also not detect all duplicate addresses when one
+endpoint is as a (bi-directional) control endpoint.
+
+This specifically avoids overwriting the endpoint entries in struct
+usb_device when enabling a duplicate endpoint, something which could
+potentially lead to crashes or leaks, for example, when endpoints are
+later disabled.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c |   70 ++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 58 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -203,9 +203,58 @@ static const unsigned short super_speed_
+ 	[USB_ENDPOINT_XFER_INT] = 1024,
+ };
+ 
+-static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
+-    int asnum, struct usb_host_interface *ifp, int num_ep,
+-    unsigned char *buffer, int size)
++static bool endpoint_is_duplicate(struct usb_endpoint_descriptor *e1,
++		struct usb_endpoint_descriptor *e2)
++{
++	if (e1->bEndpointAddress == e2->bEndpointAddress)
++		return true;
++
++	if (usb_endpoint_xfer_control(e1) || usb_endpoint_xfer_control(e2)) {
++		if (usb_endpoint_num(e1) == usb_endpoint_num(e2))
++			return true;
++	}
++
++	return false;
++}
++
++/*
++ * Check for duplicate endpoint addresses in other interfaces and in the
++ * altsetting currently being parsed.
++ */
++static bool config_endpoint_is_duplicate(struct usb_host_config *config,
++		int inum, int asnum, struct usb_endpoint_descriptor *d)
++{
++	struct usb_endpoint_descriptor *epd;
++	struct usb_interface_cache *intfc;
++	struct usb_host_interface *alt;
++	int i, j, k;
++
++	for (i = 0; i < config->desc.bNumInterfaces; ++i) {
++		intfc = config->intf_cache[i];
++
++		for (j = 0; j < intfc->num_altsetting; ++j) {
++			alt = &intfc->altsetting[j];
++
++			if (alt->desc.bInterfaceNumber == inum &&
++					alt->desc.bAlternateSetting != asnum)
++				continue;
++
++			for (k = 0; k < alt->desc.bNumEndpoints; ++k) {
++				epd = &alt->endpoint[k].desc;
++
++				if (endpoint_is_duplicate(epd, d))
++					return true;
++			}
++		}
++	}
++
++	return false;
++}
++
++static int usb_parse_endpoint(struct device *ddev, int cfgno,
++		struct usb_host_config *config, int inum, int asnum,
++		struct usb_host_interface *ifp, int num_ep,
++		unsigned char *buffer, int size)
+ {
+ 	unsigned char *buffer0 = buffer;
+ 	struct usb_endpoint_descriptor *d;
+@@ -242,13 +291,10 @@ static int usb_parse_endpoint(struct dev
+ 		goto skip_to_next_endpoint_or_interface_descriptor;
+ 
+ 	/* Check for duplicate endpoint addresses */
+-	for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+-		if (ifp->endpoint[i].desc.bEndpointAddress ==
+-		    d->bEndpointAddress) {
+-			dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+-			    cfgno, inum, asnum, d->bEndpointAddress);
+-			goto skip_to_next_endpoint_or_interface_descriptor;
+-		}
++	if (config_endpoint_is_duplicate(config, inum, asnum, d)) {
++		dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
++				cfgno, inum, asnum, d->bEndpointAddress);
++		goto skip_to_next_endpoint_or_interface_descriptor;
+ 	}
+ 
+ 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+@@ -522,8 +568,8 @@ static int usb_parse_interface(struct de
+ 		if (((struct usb_descriptor_header *) buffer)->bDescriptorType
+ 		     == USB_DT_INTERFACE)
+ 			break;
+-		retval = usb_parse_endpoint(ddev, cfgno, inum, asnum, alt,
+-		    num_ep, buffer, size);
++		retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum,
++				alt, num_ep, buffer, size);
+ 		if (retval < 0)
+ 			return retval;
+ 		++n;
diff --git a/queue-5.4/usb-dwc3-gadget-fix-request-complete-check.patch b/queue-5.4/usb-dwc3-gadget-fix-request-complete-check.patch
new file mode 100644
index 00000000000..54aa6dc36ff
--- /dev/null
+++ b/queue-5.4/usb-dwc3-gadget-fix-request-complete-check.patch
@@ -0,0 +1,39 @@
+From ea0d762775e20aaff7909a3f0866ff1688b1c618 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Fri, 13 Dec 2019 18:40:45 -0800
+Subject: usb: dwc3: gadget: Fix request complete check
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit ea0d762775e20aaff7909a3f0866ff1688b1c618 upstream.
+
+We can only check for IN direction if the request had completed. For OUT
+direction, it's perfectly fine that the host can send less than the
+setup length. Let's return true fall all cases of OUT direction.
+
+Fixes: e0c42ce590fe ("usb: dwc3: gadget: simplify IOC handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Link: https://lore.kernel.org/r/ac5a3593a94fdaa3d92e6352356b5f7a01ccdc7c.1576291140.git.thinhn@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2467,6 +2467,13 @@ static int dwc3_gadget_ep_reclaim_trb_li
+ 
+ static bool dwc3_gadget_ep_request_completed(struct dwc3_request *req)
+ {
++	/*
++	 * For OUT direction, host may send less than the setup
++	 * length. Return true for all OUT requests.
++	 */
++	if (!req->direction)
++		return true;
++
+ 	return req->request.actual == req->request.length;
+ }
+ 
diff --git a/queue-5.4/usb-missing-parentheses-in-use_new_scheme.patch b/queue-5.4/usb-missing-parentheses-in-use_new_scheme.patch
new file mode 100644
index 00000000000..af84a8e935e
--- /dev/null
+++ b/queue-5.4/usb-missing-parentheses-in-use_new_scheme.patch
@@ -0,0 +1,40 @@
+From 1530f6f5f5806b2abbf2a9276c0db313ae9a0e09 Mon Sep 17 00:00:00 2001
+From: Qi Zhou <atmgnd@outlook.com>
+Date: Sat, 4 Jan 2020 11:02:01 +0000
+Subject: usb: missing parentheses in USE_NEW_SCHEME
+
+From: Qi Zhou <atmgnd@outlook.com>
+
+commit 1530f6f5f5806b2abbf2a9276c0db313ae9a0e09 upstream.
+
+According to bd0e6c9614b9 ("usb: hub: try old enumeration scheme first
+for high speed devices") the kernel will try the old enumeration scheme
+first for high speed devices.  This can happen when a high speed device
+is plugged in.
+
+But due to missing parentheses in the USE_NEW_SCHEME define, this logic
+can get messed up and the incorrect result happens.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Qi Zhou <atmgnd@outlook.com>
+Link: https://lore.kernel.org/r/ht4mtag8ZP-HKEhD0KkJhcFnVlOFV8N8eNjJVRD9pDkkLUNhmEo8_cL_sl7xy9mdajdH-T8J3TFQsjvoYQT61NFjQXy469Ed_BbBw_x4S1E=@protonmail.com
+[ fixup changelog text - gregkh]
+Cc: stable <stable@vger.kernel.org>
+Fixes: bd0e6c9614b9 ("usb: hub: try old enumeration scheme first for high speed devices")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2691,7 +2691,7 @@ static unsigned hub_is_wusb(struct usb_h
+ #define SET_ADDRESS_TRIES	2
+ #define GET_DESCRIPTOR_TRIES	2
+ #define SET_CONFIG_TRIES	(2 * (use_both_schemes + 1))
+-#define USE_NEW_SCHEME(i, scheme)	((i) / 2 == (int)scheme)
++#define USE_NEW_SCHEME(i, scheme)	((i) / 2 == (int)(scheme))
+ 
+ #define HUB_ROOT_RESET_TIME	60	/* times are in msec */
+ #define HUB_SHORT_RESET_TIME	10
diff --git a/queue-5.4/usb-serial-option-add-telit-me910g1-0x110a-composition.patch b/queue-5.4/usb-serial-option-add-telit-me910g1-0x110a-composition.patch
new file mode 100644
index 00000000000..5378a5dec3c
--- /dev/null
+++ b/queue-5.4/usb-serial-option-add-telit-me910g1-0x110a-composition.patch
@@ -0,0 +1,33 @@
+From 0d3010fa442429f8780976758719af05592ff19f Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Fri, 13 Dec 2019 14:56:15 +0100
+Subject: USB: serial: option: add Telit ME910G1 0x110a composition
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 0d3010fa442429f8780976758719af05592ff19f upstream.
+
+This patch adds the following Telit ME910G1 composition:
+
+0x110a: tty, tty, tty, rmnet
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1172,6 +1172,8 @@ static const struct usb_device_id option
+ 	  .driver_info = NCTRL(0) | RSVD(3) },
+ 	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1102, 0xff),	/* Telit ME910 (ECM) */
+ 	  .driver_info = NCTRL(0) },
++	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x110a, 0xff),	/* Telit ME910G1 */
++	  .driver_info = NCTRL(0) | RSVD(3) },
+ 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
+ 	  .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+ 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),