From: Greg Kroah-Hartman Date: Tue, 14 Jan 2020 09:44:32 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.210~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=68e92fa1bf437181c6ecb57a64eecc27f84a9b75;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: hid-hiddev-fix-mess-in-hiddev_open.patch netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch netfilter-conntrack-dccp-sctp-handle-null-timeout-argument.patch netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch phy-cpcap-usb-fix-error-path-when-no-host-driver-is-loaded.patch phy-cpcap-usb-fix-flakey-host-idling-and-enumerating-of-devices.patch usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch --- diff --git a/queue-4.19/hid-hiddev-fix-mess-in-hiddev_open.patch b/queue-4.19/hid-hiddev-fix-mess-in-hiddev_open.patch new file mode 100644 index 00000000000..83084caf8ed --- /dev/null +++ b/queue-4.19/hid-hiddev-fix-mess-in-hiddev_open.patch @@ -0,0 +1,157 @@ +From 18a1b06e5b91d47dc86c0a66a762646ea7c5d141 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 17 Dec 2019 14:50:21 -0800 +Subject: HID: hiddev: fix mess in hiddev_open() + +From: Dmitry Torokhov + +commit 18a1b06e5b91d47dc86c0a66a762646ea7c5d141 upstream. + +The open method of hiddev handler fails to bring the device out of +autosuspend state as was promised in 0361a28d3f9a, as it actually has 2 +blocks that try to start the transport (call hid_hw_open()) with both +being guarded by the "open" counter, so the 2nd block is never executed as +the first block increments the counter so it is never at 0 when we check +it for the second block. + +Additionally hiddev_open() was leaving counter incremented on errors, +causing the device to never be reopened properly if there was ever an +error. + +Let's fix all of this by factoring out code that creates client structure +and powers up the device into a separate function that is being called +from usbhid_open() with the "existancelock" being held. + +Fixes: 0361a28d3f9a ("HID: autosuspend support for USB HID") +Signed-off-by: Dmitry Torokhov +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hiddev.c | 97 +++++++++++++++++++------------------------- + 1 file changed, 42 insertions(+), 55 deletions(-) + +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -254,12 +254,51 @@ static int hiddev_release(struct inode * + return 0; + } + ++static int __hiddev_open(struct hiddev *hiddev, struct file *file) ++{ ++ struct hiddev_list *list; ++ int error; ++ ++ lockdep_assert_held(&hiddev->existancelock); ++ ++ list = vzalloc(sizeof(*list)); ++ if (!list) ++ return -ENOMEM; ++ ++ mutex_init(&list->thread_lock); ++ list->hiddev = hiddev; ++ ++ if (!hiddev->open++) { ++ error = hid_hw_power(hiddev->hid, PM_HINT_FULLON); ++ if (error < 0) ++ goto err_drop_count; ++ ++ error = hid_hw_open(hiddev->hid); ++ if (error < 0) ++ goto err_normal_power; ++ } ++ ++ spin_lock_irq(&hiddev->list_lock); ++ list_add_tail(&list->node, &hiddev->list); ++ spin_unlock_irq(&hiddev->list_lock); ++ ++ file->private_data = list; ++ ++ return 0; ++ ++err_normal_power: ++ hid_hw_power(hiddev->hid, PM_HINT_NORMAL); ++err_drop_count: ++ hiddev->open--; ++ vfree(list); ++ return error; ++} ++ + /* + * open file op + */ + static int hiddev_open(struct inode *inode, struct file *file) + { +- struct hiddev_list *list; + struct usb_interface *intf; + struct hid_device *hid; + struct hiddev *hiddev; +@@ -268,66 +307,14 @@ static int hiddev_open(struct inode *ino + intf = usbhid_find_interface(iminor(inode)); + if (!intf) + return -ENODEV; ++ + hid = usb_get_intfdata(intf); + hiddev = hid->hiddev; + +- if (!(list = vzalloc(sizeof(struct hiddev_list)))) +- return -ENOMEM; +- mutex_init(&list->thread_lock); +- list->hiddev = hiddev; +- file->private_data = list; +- +- /* +- * no need for locking because the USB major number +- * is shared which usbcore guards against disconnect +- */ +- if (list->hiddev->exist) { +- if (!list->hiddev->open++) { +- res = hid_hw_open(hiddev->hid); +- if (res < 0) +- goto bail; +- } +- } else { +- res = -ENODEV; +- goto bail; +- } +- +- spin_lock_irq(&list->hiddev->list_lock); +- list_add_tail(&list->node, &hiddev->list); +- spin_unlock_irq(&list->hiddev->list_lock); +- + mutex_lock(&hiddev->existancelock); +- /* +- * recheck exist with existance lock held to +- * avoid opening a disconnected device +- */ +- if (!list->hiddev->exist) { +- res = -ENODEV; +- goto bail_unlock; +- } +- if (!list->hiddev->open++) +- if (list->hiddev->exist) { +- struct hid_device *hid = hiddev->hid; +- res = hid_hw_power(hid, PM_HINT_FULLON); +- if (res < 0) +- goto bail_unlock; +- res = hid_hw_open(hid); +- if (res < 0) +- goto bail_normal_power; +- } +- mutex_unlock(&hiddev->existancelock); +- return 0; +-bail_normal_power: +- hid_hw_power(hid, PM_HINT_NORMAL); +-bail_unlock: ++ res = hiddev->exist ? __hiddev_open(hiddev, file) : -ENODEV; + mutex_unlock(&hiddev->existancelock); + +- spin_lock_irq(&list->hiddev->list_lock); +- list_del(&list->node); +- spin_unlock_irq(&list->hiddev->list_lock); +-bail: +- file->private_data = NULL; +- vfree(list); + return res; + } + diff --git a/queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch b/queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch new file mode 100644 index 00000000000..2503ff6f44b --- /dev/null +++ b/queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch @@ -0,0 +1,148 @@ +From 1b789577f655060d98d20ed0c6f9fbd469d6ba63 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 27 Dec 2019 01:33:10 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgchk_param struct + +From: Florian Westphal + +commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream. + +We get crash when the targets checkentry function tries to make +use of the network namespace pointer for arptables. + +When the net pointer got added back in 2010, only ip/ip6/ebtables were +changed to initialize it, so arptables has this set to NULL. + +This isn't a problem for normal arptables because no existing +arptables target has a checkentry function that makes use of par->net. + +However, direct users of the setsockopt interface can provide any +target they want as long as its registered for ARP or UNPSEC protocols. + +syzkaller managed to send a semi-valid arptables rule for RATEEST target +which is enough to trigger NULL deref: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109 +[..] + xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019 + check_target net/ipv4/netfilter/arp_tables.c:399 [inline] + find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline] + translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572 + do_replace net/ipv4/netfilter/arp_tables.c:977 [inline] + do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456 + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Acked-by: Cong Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -383,10 +383,11 @@ next: ; + return 1; + } + +-static inline int check_target(struct arpt_entry *e, const char *name) ++static int check_target(struct arpt_entry *e, struct net *net, const char *name) + { + struct xt_entry_target *t = arpt_get_target(e); + struct xt_tgchk_param par = { ++ .net = net, + .table = name, + .entryinfo = e, + .target = t->u.kernel.target, +@@ -398,8 +399,9 @@ static inline int check_target(struct ar + return xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false); + } + +-static inline int +-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size, ++static int ++find_check_entry(struct arpt_entry *e, struct net *net, const char *name, ++ unsigned int size, + struct xt_percpu_counter_alloc_state *alloc_state) + { + struct xt_entry_target *t; +@@ -418,7 +420,7 @@ find_check_entry(struct arpt_entry *e, c + } + t->u.kernel.target = target; + +- ret = check_target(e, name); ++ ret = check_target(e, net, name); + if (ret) + goto err; + return 0; +@@ -511,7 +513,9 @@ static inline void cleanup_entry(struct + /* Checks and translates the user-supplied table segment (held in + * newinfo). + */ +-static int translate_table(struct xt_table_info *newinfo, void *entry0, ++static int translate_table(struct net *net, ++ struct xt_table_info *newinfo, ++ void *entry0, + const struct arpt_replace *repl) + { + struct xt_percpu_counter_alloc_state alloc_state = { 0 }; +@@ -568,7 +572,7 @@ static int translate_table(struct xt_tab + /* Finally, each sanity check must pass */ + i = 0; + xt_entry_foreach(iter, entry0, newinfo->size) { +- ret = find_check_entry(iter, repl->name, repl->size, ++ ret = find_check_entry(iter, net, repl->name, repl->size, + &alloc_state); + if (ret != 0) + break; +@@ -973,7 +977,7 @@ static int do_replace(struct net *net, c + goto free_newinfo; + } + +- ret = translate_table(newinfo, loc_cpu_entry, &tmp); ++ ret = translate_table(net, newinfo, loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +@@ -1148,7 +1152,8 @@ compat_copy_entry_from_user(struct compa + } + } + +-static int translate_compat_table(struct xt_table_info **pinfo, ++static int translate_compat_table(struct net *net, ++ struct xt_table_info **pinfo, + void **pentry0, + const struct compat_arpt_replace *compatr) + { +@@ -1216,7 +1221,7 @@ static int translate_compat_table(struct + repl.num_counters = 0; + repl.counters = NULL; + repl.size = newinfo->size; +- ret = translate_table(newinfo, entry1, &repl); ++ ret = translate_table(net, newinfo, entry1, &repl); + if (ret) + goto free_newinfo; + +@@ -1269,7 +1274,7 @@ static int compat_do_replace(struct net + goto free_newinfo; + } + +- ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +@@ -1545,7 +1550,7 @@ int arpt_register_table(struct net *net, + loc_cpu_entry = newinfo->entries; + memcpy(loc_cpu_entry, repl->entries, repl->size); + +- ret = translate_table(newinfo, loc_cpu_entry, repl); ++ ret = translate_table(net, newinfo, loc_cpu_entry, repl); + if (ret != 0) + goto out_free; + diff --git a/queue-4.19/netfilter-conntrack-dccp-sctp-handle-null-timeout-argument.patch b/queue-4.19/netfilter-conntrack-dccp-sctp-handle-null-timeout-argument.patch new file mode 100644 index 00000000000..503c7c88f3a --- /dev/null +++ b/queue-4.19/netfilter-conntrack-dccp-sctp-handle-null-timeout-argument.patch @@ -0,0 +1,56 @@ +From 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 6 Jan 2020 23:34:17 +0100 +Subject: netfilter: conntrack: dccp, sctp: handle null timeout argument + +From: Florian Westphal + +commit 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 upstream. + +The timeout pointer can be NULL which means we should modify the +per-nets timeout instead. + +All do this, except sctp and dccp which instead give: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +net/netfilter/nf_conntrack_proto_dccp.c:682 + ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67 + cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368 + nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + +Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com +Fixes: c779e849608a8 ("netfilter: conntrack: remove get_timeout() indirection") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_proto_dccp.c | 3 +++ + net/netfilter/nf_conntrack_proto_sctp.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -687,6 +687,9 @@ static int dccp_timeout_nlattr_to_obj(st + unsigned int *timeouts = data; + int i; + ++ if (!timeouts) ++ timeouts = dn->dccp_timeout; ++ + /* set default DCCP timeouts. */ + for (i=0; idccp_timeout[i]; +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -603,6 +603,9 @@ static int sctp_timeout_nlattr_to_obj(st + struct nf_sctp_net *sn = sctp_pernet(net); + int i; + ++ if (!timeouts) ++ timeouts = sn->timeouts; ++ + /* set default SCTP timeouts. */ + for (i=0; itimeouts[i]; diff --git a/queue-4.19/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch b/queue-4.19/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch new file mode 100644 index 00000000000..5bd5cd01af8 --- /dev/null +++ b/queue-4.19/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch @@ -0,0 +1,59 @@ +From 22dad713b8a5ff488e07b821195270672f486eb2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 8 Jan 2020 10:59:38 +0100 +Subject: netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present + +From: Florian Westphal + +commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream. + +The set uadt functions assume lineno is never NULL, but it is in +case of ip_set_utest(). + +syzkaller managed to generate a netlink message that calls this with +LINENO attr present: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104 +Call Trace: + ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867 + nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563 + +pass a dummy lineno storage, its easier than patching all set +implementations. + +This seems to be a day-0 bug. + +Cc: Jozsef Kadlecsik +Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com +Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support") +Signed-off-by: Florian Westphal +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1666,6 +1666,7 @@ static int ip_set_utest(struct net *net, + struct ip_set *set; + struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {}; + int ret = 0; ++ u32 lineno; + + if (unlikely(protocol_failed(attr) || + !attr[IPSET_ATTR_SETNAME] || +@@ -1682,7 +1683,7 @@ static int ip_set_utest(struct net *net, + return -IPSET_ERR_PROTOCOL; + + rcu_read_lock_bh(); +- ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0); ++ ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0); + rcu_read_unlock_bh(); + /* Userspace can't trigger element to be re-added */ + if (ret == -EAGAIN) diff --git a/queue-4.19/phy-cpcap-usb-fix-error-path-when-no-host-driver-is-loaded.patch b/queue-4.19/phy-cpcap-usb-fix-error-path-when-no-host-driver-is-loaded.patch new file mode 100644 index 00000000000..0b1ad5d7639 --- /dev/null +++ b/queue-4.19/phy-cpcap-usb-fix-error-path-when-no-host-driver-is-loaded.patch @@ -0,0 +1,107 @@ +From 4acb0200ab2b07843e3ef5599add3454c7440f03 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 20 Dec 2019 16:21:40 +0530 +Subject: phy: cpcap-usb: Fix error path when no host driver is loaded + +From: Tony Lindgren + +commit 4acb0200ab2b07843e3ef5599add3454c7440f03 upstream. + +If musb_mailbox() returns an error, we must still continue to finish +configuring the phy. + +Otherwise the phy state may end up only half initialized, and this can +cause the debug serial console to stop working. And this will happen if the +usb driver musb controller is not loaded. + +Let's fix the issue by adding helper for cpcap_usb_try_musb_mailbox(). + +Fixes: 6d6ce40f63af ("phy: cpcap-usb: Add CPCAP PMIC USB support") +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/motorola/phy-cpcap-usb.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +--- a/drivers/phy/motorola/phy-cpcap-usb.c ++++ b/drivers/phy/motorola/phy-cpcap-usb.c +@@ -207,6 +207,19 @@ static int cpcap_phy_get_ints_state(stru + static int cpcap_usb_set_uart_mode(struct cpcap_phy_ddata *ddata); + static int cpcap_usb_set_usb_mode(struct cpcap_phy_ddata *ddata); + ++static void cpcap_usb_try_musb_mailbox(struct cpcap_phy_ddata *ddata, ++ enum musb_vbus_id_status status) ++{ ++ int error; ++ ++ error = musb_mailbox(status); ++ if (!error) ++ return; ++ ++ dev_dbg(ddata->dev, "%s: musb_mailbox failed: %i\n", ++ __func__, error); ++} ++ + static void cpcap_usb_detect(struct work_struct *work) + { + struct cpcap_phy_ddata *ddata; +@@ -226,9 +239,7 @@ static void cpcap_usb_detect(struct work + if (error) + goto out_err; + +- error = musb_mailbox(MUSB_ID_GROUND); +- if (error) +- goto out_err; ++ cpcap_usb_try_musb_mailbox(ddata, MUSB_ID_GROUND); + + error = regmap_update_bits(ddata->reg, CPCAP_REG_USBC3, + CPCAP_BIT_VBUSSTBY_EN, +@@ -255,9 +266,7 @@ static void cpcap_usb_detect(struct work + error = cpcap_usb_set_usb_mode(ddata); + if (error) + goto out_err; +- error = musb_mailbox(MUSB_ID_GROUND); +- if (error) +- goto out_err; ++ cpcap_usb_try_musb_mailbox(ddata, MUSB_ID_GROUND); + + return; + } +@@ -267,9 +276,7 @@ static void cpcap_usb_detect(struct work + error = cpcap_usb_set_usb_mode(ddata); + if (error) + goto out_err; +- error = musb_mailbox(MUSB_VBUS_VALID); +- if (error) +- goto out_err; ++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_VALID); + + return; + } +@@ -279,9 +286,7 @@ static void cpcap_usb_detect(struct work + if (error) + goto out_err; + +- error = musb_mailbox(MUSB_VBUS_OFF); +- if (error) +- goto out_err; ++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF); + + dev_dbg(ddata->dev, "set UART mode\n"); + +@@ -647,9 +652,7 @@ static int cpcap_usb_phy_remove(struct p + if (error) + dev_err(ddata->dev, "could not set UART mode\n"); + +- error = musb_mailbox(MUSB_VBUS_OFF); +- if (error) +- dev_err(ddata->dev, "could not set mailbox\n"); ++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF); + + usb_remove_phy(&ddata->phy); + cancel_delayed_work_sync(&ddata->detect_work); diff --git a/queue-4.19/phy-cpcap-usb-fix-flakey-host-idling-and-enumerating-of-devices.patch b/queue-4.19/phy-cpcap-usb-fix-flakey-host-idling-and-enumerating-of-devices.patch new file mode 100644 index 00000000000..cb999df1333 --- /dev/null +++ b/queue-4.19/phy-cpcap-usb-fix-flakey-host-idling-and-enumerating-of-devices.patch @@ -0,0 +1,48 @@ +From 049226b9fd7442149dcbcf55f15408f5973cceda Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Sun, 22 Dec 2019 10:00:19 -0800 +Subject: phy: cpcap-usb: Fix flakey host idling and enumerating of devices + +From: Tony Lindgren + +commit 049226b9fd7442149dcbcf55f15408f5973cceda upstream. + +We must let the USB host idle things properly before we switch to debug +UART mode. Otherwise the USB host may never idle after disconnecting +devices, and that causes the next enumeration to be flakey. + +Cc: Jacopo Mondi +Cc: Marcel Partap +Cc: Merlijn Wajer +Cc: Michael Scott +Cc: NeKit +Cc: Pavel Machek +Cc: Sebastian Reichel +Acked-by: Pavel Machek +Fixes: 6d6ce40f63af ("phy: cpcap-usb: Add CPCAP PMIC USB support") +Signed-off-by: Tony Lindgren +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/motorola/phy-cpcap-usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/motorola/phy-cpcap-usb.c ++++ b/drivers/phy/motorola/phy-cpcap-usb.c +@@ -281,13 +281,13 @@ static void cpcap_usb_detect(struct work + return; + } + ++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF); ++ + /* Default to debug UART mode */ + error = cpcap_usb_set_uart_mode(ddata); + if (error) + goto out_err; + +- cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF); +- + dev_dbg(ddata->dev, "set UART mode\n"); + + return; diff --git a/queue-4.19/series b/queue-4.19/series index ce715316ede..f20e3eed207 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -37,3 +37,10 @@ mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch scsi-bfa-release-allocated-memory-in-case-of-error.patch rtl8xxxu-prevent-leaking-urb.patch ath10k-fix-memory-leak.patch +hid-hiddev-fix-mess-in-hiddev_open.patch +usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch +phy-cpcap-usb-fix-error-path-when-no-host-driver-is-loaded.patch +phy-cpcap-usb-fix-flakey-host-idling-and-enumerating-of-devices.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch +netfilter-conntrack-dccp-sctp-handle-null-timeout-argument.patch +netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch diff --git a/queue-4.19/usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch b/queue-4.19/usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch new file mode 100644 index 00000000000..793d86ff1d9 --- /dev/null +++ b/queue-4.19/usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch @@ -0,0 +1,63 @@ +From 2548288b4fb059b2da9ceada172ef763077e8a59 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 6 Jan 2020 10:43:42 -0500 +Subject: USB: Fix: Don't skip endpoint descriptors with maxpacket=0 + +From: Alan Stern + +commit 2548288b4fb059b2da9ceada172ef763077e8a59 upstream. + +It turns out that even though endpoints with a maxpacket length of 0 +aren't useful for data transfer, the descriptors do serve other +purposes. In particular, skipping them will also skip over other +class-specific descriptors for classes such as UVC. This unexpected +side effect has caused some UVC cameras to stop working. + +In addition, the USB spec requires that when isochronous endpoint +descriptors are present in an interface's altsetting 0 (which is true +on some devices), the maxpacket size _must_ be set to 0. Warning +about such things seems like a bad idea. + +This patch updates an earlier commit which would log a warning and +skip these endpoint descriptors. Now we only log a warning, and we +don't even do that for isochronous endpoints in altsetting 0. + +We don't need to worry about preventing endpoints with maxpacket = 0 +from ever being used for data transfers; usb_submit_urb() already +checks for this. + +Reported-and-tested-by: Roger Whittaker +Fixes: d482c7bb0541 ("USB: Skip endpoints with 0 maxpacket length") +Signed-off-by: Alan Stern +CC: Laurent Pinchart +Link: https://marc.info/?l=linux-usb&m=157790377329882&w=2 +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2001061040270.1514-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -392,12 +392,16 @@ static int usb_parse_endpoint(struct dev + endpoint->desc.wMaxPacketSize = cpu_to_le16(8); + } + +- /* Validate the wMaxPacketSize field */ ++ /* ++ * Validate the wMaxPacketSize field. ++ * Some devices have isochronous endpoints in altsetting 0; ++ * the USB-2 spec requires such endpoints to have wMaxPacketSize = 0 ++ * (see the end of section 5.6.3), so don't warn about them. ++ */ + maxp = usb_endpoint_maxp(&endpoint->desc); +- if (maxp == 0) { +- dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n", ++ if (maxp == 0 && !(usb_endpoint_xfer_isoc(d) && asnum == 0)) { ++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid wMaxPacketSize 0\n", + cfgno, inum, asnum, d->bEndpointAddress); +- goto skip_to_next_endpoint_or_interface_descriptor; + } + + /* Find the highest legal maxpacket size for this endpoint */