From: Greg Kroah-Hartman Date: Thu, 30 Jan 2020 09:35:19 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.5.1~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c877b29911367e09b5a9452d0a5429e004c0160;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ath9k-fix-storage-endpoint-lookup.patch brcmfmac-fix-interface-sanity-check.patch orinoco_usb-fix-interface-sanity-check.patch rsi_91x_usb-fix-interface-sanity-check.patch rtl8xxxu-fix-interface-sanity-check.patch staging-most-net-fix-buffer-overflow.patch staging-vt6656-correct-packet-types-for-cts-protect-mode.patch staging-vt6656-fix-false-tx-excessive-retries-reporting.patch staging-vt6656-use-nullfuction-stack-on-mac80211.patch staging-wlan-ng-ensure-error-return-is-actually-returned.patch usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch usb-serial-ir-usb-fix-irlap-framing.patch usb-serial-ir-usb-fix-link-speed-handling.patch zd1211rw-fix-storage-endpoint-lookup.patch --- diff --git a/queue-4.4/ath9k-fix-storage-endpoint-lookup.patch b/queue-4.4/ath9k-fix-storage-endpoint-lookup.patch new file mode 100644 index 00000000000..98ff66914df --- /dev/null +++ b/queue-4.4/ath9k-fix-storage-endpoint-lookup.patch @@ -0,0 +1,37 @@ +From 0ef332951e856efa89507cdd13ba8f4fb8d4db12 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:20 +0100 +Subject: ath9k: fix storage endpoint lookup + +From: Johan Hovold + +commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream. + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Cc: stable # 2.6.39 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1211,7 +1211,7 @@ err_fw: + static int send_eject_command(struct usb_interface *interface) + { + struct usb_device *udev = interface_to_usbdev(interface); +- struct usb_host_interface *iface_desc = &interface->altsetting[0]; ++ struct usb_host_interface *iface_desc = interface->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep; diff --git a/queue-4.4/brcmfmac-fix-interface-sanity-check.patch b/queue-4.4/brcmfmac-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..b6ce854c8d5 --- /dev/null +++ b/queue-4.4/brcmfmac-fix-interface-sanity-check.patch @@ -0,0 +1,46 @@ +From 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:22 +0100 +Subject: brcmfmac: fix interface sanity check + +From: Johan Hovold + +commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Cc: stable # 3.4 +Cc: Arend van Spriel +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c +@@ -1352,7 +1352,7 @@ brcmf_usb_probe(struct usb_interface *in + goto fail; + } + +- desc = &intf->altsetting[0].desc; ++ desc = &intf->cur_altsetting->desc; + if ((desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) || + (desc->bInterfaceSubClass != 2) || + (desc->bInterfaceProtocol != 0xff)) { +@@ -1365,7 +1365,7 @@ brcmf_usb_probe(struct usb_interface *in + + num_of_eps = desc->bNumEndpoints; + for (ep = 0; ep < num_of_eps; ep++) { +- endpoint = &intf->altsetting[0].endpoint[ep].desc; ++ endpoint = &intf->cur_altsetting->endpoint[ep].desc; + endpoint_num = usb_endpoint_num(endpoint); + if (!usb_endpoint_xfer_bulk(endpoint)) + continue; diff --git a/queue-4.4/orinoco_usb-fix-interface-sanity-check.patch b/queue-4.4/orinoco_usb-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..3f8f2ac823b --- /dev/null +++ b/queue-4.4/orinoco_usb-fix-interface-sanity-check.patch @@ -0,0 +1,39 @@ +From b73e05aa543cf8db4f4927e36952360d71291d41 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:23 +0100 +Subject: orinoco_usb: fix interface sanity check + +From: Johan Hovold + +commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver") +Cc: stable # 2.6.35 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/orinoco/orinoco_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/orinoco/orinoco_usb.c +@@ -1601,9 +1601,9 @@ static int ezusb_probe(struct usb_interf + /* set up the endpoint information */ + /* check out the endpoints */ + +- iface_desc = &interface->altsetting[0].desc; ++ iface_desc = &interface->cur_altsetting->desc; + for (i = 0; i < iface_desc->bNumEndpoints; ++i) { +- ep = &interface->altsetting[0].endpoint[i].desc; ++ ep = &interface->cur_altsetting->endpoint[i].desc; + + if (usb_endpoint_is_bulk_in(ep)) { + /* we found a bulk in endpoint */ diff --git a/queue-4.4/rsi_91x_usb-fix-interface-sanity-check.patch b/queue-4.4/rsi_91x_usb-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..523f121e076 --- /dev/null +++ b/queue-4.4/rsi_91x_usb-fix-interface-sanity-check.patch @@ -0,0 +1,37 @@ +From 3139b180906af43bc09bd3373fc2338a8271d9d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:25 +0100 +Subject: rsi_91x_usb: fix interface sanity check + +From: Johan Hovold + +commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: stable # 3.15 +Cc: Fariya Fatima +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -103,7 +103,7 @@ static int rsi_find_bulk_in_and_out_endp + __le16 buffer_size; + int ii, bep_found = 0; + +- iface_desc = &(interface->altsetting[0]); ++ iface_desc = interface->cur_altsetting; + + for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) { + endpoint = &(iface_desc->endpoint[ii].desc); diff --git a/queue-4.4/rtl8xxxu-fix-interface-sanity-check.patch b/queue-4.4/rtl8xxxu-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..767e0ac502e --- /dev/null +++ b/queue-4.4/rtl8xxxu-fix-interface-sanity-check.patch @@ -0,0 +1,37 @@ +From 39a4281c312f2d226c710bc656ce380c621a2b16 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:24 +0100 +Subject: rtl8xxxu: fix interface sanity check + +From: Johan Hovold + +commit 39a4281c312f2d226c710bc656ce380c621a2b16 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Cc: stable # 4.4 +Cc: Jes Sorensen +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c +@@ -5555,7 +5555,7 @@ static int rtl8xxxu_parse_usb(struct rtl + u8 dir, xtype, num; + int ret = 0; + +- host_interface = &interface->altsetting[0]; ++ host_interface = interface->cur_altsetting; + interface_desc = &host_interface->desc; + endpoints = interface_desc->bNumEndpoints; + diff --git a/queue-4.4/series b/queue-4.4/series index e044d73692a..3700e842182 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,16 @@ alsa-pcm-add-missing-copy-ops-check-before-clearing-buffer.patch +orinoco_usb-fix-interface-sanity-check.patch +rsi_91x_usb-fix-interface-sanity-check.patch +usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch +usb-serial-ir-usb-fix-link-speed-handling.patch +usb-serial-ir-usb-fix-irlap-framing.patch +usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch +staging-most-net-fix-buffer-overflow.patch +staging-wlan-ng-ensure-error-return-is-actually-returned.patch +staging-vt6656-correct-packet-types-for-cts-protect-mode.patch +staging-vt6656-use-nullfuction-stack-on-mac80211.patch +staging-vt6656-fix-false-tx-excessive-retries-reporting.patch +ath9k-fix-storage-endpoint-lookup.patch +brcmfmac-fix-interface-sanity-check.patch +rtl8xxxu-fix-interface-sanity-check.patch +zd1211rw-fix-storage-endpoint-lookup.patch diff --git a/queue-4.4/staging-most-net-fix-buffer-overflow.patch b/queue-4.4/staging-most-net-fix-buffer-overflow.patch new file mode 100644 index 00000000000..b5377c5cc68 --- /dev/null +++ b/queue-4.4/staging-most-net-fix-buffer-overflow.patch @@ -0,0 +1,58 @@ +From 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 Mon Sep 17 00:00:00 2001 +From: Andrey Shvetsov +Date: Thu, 16 Jan 2020 18:22:39 +0100 +Subject: staging: most: net: fix buffer overflow + +From: Andrey Shvetsov + +commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream. + +If the length of the socket buffer is 0xFFFFFFFF (max size for an +unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14 +(ETH_HLEN). Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN) +which overflows and results in a value of 2. These values for +payload_len and mdp_len will pass current buffer size checks. + +This patch checks if derived from skb->len sum may overflow. + +The check is based on the following idea: + +For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`, +`V1 + V2` overflows iif `SUM < V1`. + +Reported-by: Greg Kroah-Hartman +Signed-off-by: Andrey Shvetsov +Cc: stable +Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/most/aim-network/networking.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/staging/most/aim-network/networking.c ++++ b/drivers/staging/most/aim-network/networking.c +@@ -87,6 +87,11 @@ static int skb_to_mamac(const struct sk_ + unsigned int payload_len = skb->len - ETH_HLEN; + unsigned int mdp_len = payload_len + MDP_HDR_LEN; + ++ if (mdp_len < skb->len) { ++ pr_err("drop: too large packet! (%u)\n", skb->len); ++ return -EINVAL; ++ } ++ + if (mbo->buffer_length < mdp_len) { + pr_err("drop: too small buffer! (%d for %d)\n", + mbo->buffer_length, mdp_len); +@@ -134,6 +139,11 @@ static int skb_to_mep(const struct sk_bu + u8 *buff = mbo->virt_address; + unsigned int mep_len = skb->len + MEP_HDR_LEN; + ++ if (mep_len < skb->len) { ++ pr_err("drop: too large packet! (%u)\n", skb->len); ++ return -EINVAL; ++ } ++ + if (mbo->buffer_length < mep_len) { + pr_err("drop: too small buffer! (%d for %d)\n", + mbo->buffer_length, mep_len); diff --git a/queue-4.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch b/queue-4.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch new file mode 100644 index 00000000000..317bf66ffed --- /dev/null +++ b/queue-4.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch @@ -0,0 +1,60 @@ +From d971fdd3412f8342747778fb59b8803720ed82b1 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:40:58 +0000 +Subject: staging: vt6656: correct packet types for CTS protect, mode. + +From: Malcolm Priestley + +commit d971fdd3412f8342747778fb59b8803720ed82b1 upstream. + +It appears that the driver still transmits in CTS protect mode even +though it is not enabled in mac80211. + +That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect. +The only difference between them GA does not use B rates. + +Find if only B rate in GB or GA in protect mode otherwise transmit packets +as PK_TYPE_11A. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/device.h | 2 ++ + drivers/staging/vt6656/rxtx.c | 12 ++++++++---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/staging/vt6656/device.h ++++ b/drivers/staging/vt6656/device.h +@@ -65,6 +65,8 @@ + #define RATE_AUTO 12 + + #define MAX_RATE 12 ++#define VNT_B_RATES (BIT(RATE_1M) | BIT(RATE_2M) |\ ++ BIT(RATE_5M) | BIT(RATE_11M)) + + /* + * device specific +--- a/drivers/staging/vt6656/rxtx.c ++++ b/drivers/staging/vt6656/rxtx.c +@@ -815,10 +815,14 @@ int vnt_tx_packet(struct vnt_private *pr + if (info->band == IEEE80211_BAND_5GHZ) { + pkt_type = PK_TYPE_11A; + } else { +- if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) +- pkt_type = PK_TYPE_11GB; +- else +- pkt_type = PK_TYPE_11GA; ++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) { ++ if (priv->basic_rates & VNT_B_RATES) ++ pkt_type = PK_TYPE_11GB; ++ else ++ pkt_type = PK_TYPE_11GA; ++ } else { ++ pkt_type = PK_TYPE_11A; ++ } + } + } else { + pkt_type = PK_TYPE_11B; diff --git a/queue-4.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch b/queue-4.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch new file mode 100644 index 00000000000..693b6713998 --- /dev/null +++ b/queue-4.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch @@ -0,0 +1,39 @@ +From 9dd631fa99dc0a0dfbd191173bf355ba30ea786a Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:41:36 +0000 +Subject: staging: vt6656: Fix false Tx excessive retries reporting. + +From: Malcolm Priestley + +commit 9dd631fa99dc0a0dfbd191173bf355ba30ea786a upstream. + +The driver reporting IEEE80211_TX_STAT_ACK is not being handled +correctly. The driver should only report on TSR_TMO flag is not +set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK +is being requested. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/int.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/vt6656/int.c ++++ b/drivers/staging/vt6656/int.c +@@ -111,9 +111,11 @@ static int vnt_int_report_rate(struct vn + + info->status.rates[0].count = tx_retry; + +- if (!(tsr & (TSR_TMO | TSR_RETRYTMO))) { ++ if (!(tsr & TSR_TMO)) { + info->status.rates[0].idx = idx; +- info->flags |= IEEE80211_TX_STAT_ACK; ++ ++ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK)) ++ info->flags |= IEEE80211_TX_STAT_ACK; + } + + ieee80211_tx_status_irqsafe(priv->hw, context->skb); diff --git a/queue-4.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch b/queue-4.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch new file mode 100644 index 00000000000..f914d1da7a8 --- /dev/null +++ b/queue-4.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch @@ -0,0 +1,66 @@ +From d579c43c82f093e63639151625b2139166c730fd Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:41:20 +0000 +Subject: staging: vt6656: use NULLFUCTION stack on mac80211 + +From: Malcolm Priestley + +commit d579c43c82f093e63639151625b2139166c730fd upstream. + +It appears that the drivers does not go into power save correctly the +NULL data packets are not being transmitted because it not enabled +in mac80211. + +The driver needs to capture ieee80211_is_nullfunc headers and +copy the duration_id to it's own duration data header. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/main_usb.c | 1 + + drivers/staging/vt6656/rxtx.c | 14 +++++--------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -1002,6 +1002,7 @@ vt6656_probe(struct usb_interface *intf, + ieee80211_hw_set(priv->hw, RX_INCLUDES_FCS); + ieee80211_hw_set(priv->hw, REPORTS_TX_ACK_STATUS); + ieee80211_hw_set(priv->hw, SUPPORTS_PS); ++ ieee80211_hw_set(priv->hw, PS_NULLFUNC_STACK); + + priv->hw->max_signal = 100; + +--- a/drivers/staging/vt6656/rxtx.c ++++ b/drivers/staging/vt6656/rxtx.c +@@ -280,11 +280,9 @@ static u16 vnt_rxtx_datahead_g(struct vn + PK_TYPE_11B, &buf->b); + + /* Get Duration and TimeStamp */ +- if (ieee80211_is_pspoll(hdr->frame_control)) { +- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15)); +- +- buf->duration_a = dur; +- buf->duration_b = dur; ++ if (ieee80211_is_nullfunc(hdr->frame_control)) { ++ buf->duration_a = hdr->duration_id; ++ buf->duration_b = hdr->duration_id; + } else { + buf->duration_a = vnt_get_duration_le(priv, + tx_context->pkt_type, need_ack); +@@ -373,10 +371,8 @@ static u16 vnt_rxtx_datahead_ab(struct v + tx_context->pkt_type, &buf->ab); + + /* Get Duration and TimeStampOff */ +- if (ieee80211_is_pspoll(hdr->frame_control)) { +- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15)); +- +- buf->duration = dur; ++ if (ieee80211_is_nullfunc(hdr->frame_control)) { ++ buf->duration = hdr->duration_id; + } else { + buf->duration = vnt_get_duration_le(priv, tx_context->pkt_type, + need_ack); diff --git a/queue-4.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch b/queue-4.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch new file mode 100644 index 00000000000..dce88085785 --- /dev/null +++ b/queue-4.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch @@ -0,0 +1,37 @@ +From 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 14 Jan 2020 18:16:04 +0000 +Subject: staging: wlan-ng: ensure error return is actually returned + +From: Colin Ian King + +commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream. + +Currently when the call to prism2sta_ifst fails a netdev_err error +is reported, error return variable result is set to -1 but the +function always returns 0 for success. Fix this by returning +the error value in variable result rather than 0. + +Addresses-Coverity: ("Unused value") +Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver") +Signed-off-by: Colin Ian King +Cc: stable +Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -940,7 +940,7 @@ int prism2mgmt_flashdl_state(wlandevice_ + } + } + +- return 0; ++ return result; + } + + /*---------------------------------------------------------------- diff --git a/queue-4.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch b/queue-4.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch new file mode 100644 index 00000000000..cf5924a3e3e --- /dev/null +++ b/queue-4.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch @@ -0,0 +1,35 @@ +From 09ed259fac621634d51cd986aa8d65f035662658 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Wed, 11 Dec 2019 10:10:03 -0600 +Subject: usb: dwc3: turn off VBUS when leaving host mode + +From: Bin Liu + +commit 09ed259fac621634d51cd986aa8d65f035662658 upstream. + +VBUS should be turned off when leaving the host mode. +Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to +turn off VBUS power. + +Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function") +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -801,6 +801,9 @@ static void dwc3_core_exit_mode(struct d + /* do nothing */ + break; + } ++ ++ /* de-assert DRVVBUS for HOST and OTG mode */ ++ dwc3_set_prtcap(dwc, DWC3_GCTL_PRTCAP_DEVICE); + } + + #define DWC3_ALIGN_MASK (16 - 1) diff --git a/queue-4.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch b/queue-4.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..d3a3618b260 --- /dev/null +++ b/queue-4.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,40 @@ +From 2988a8ae7476fe9535ab620320790d1714bdad1d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:26 +0100 +Subject: USB: serial: ir-usb: add missing endpoint sanity check + +From: Johan Hovold + +commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream. + +Add missing endpoint sanity check to avoid dereferencing a NULL-pointer +on open() in case a device lacks a bulk-out endpoint. + +Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using +generic framework") the oops would instead happen on open() if the +device lacked a bulk-in endpoint and on write() if it lacked a bulk-out +endpoint. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ir-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -198,6 +198,9 @@ static int ir_startup(struct usb_serial + { + struct usb_irda_cs_descriptor *irda_desc; + ++ if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1) ++ return -ENODEV; ++ + irda_desc = irda_usb_find_class_desc(serial, 0); + if (!irda_desc) { + dev_err(&serial->dev->dev, diff --git a/queue-4.4/usb-serial-ir-usb-fix-irlap-framing.patch b/queue-4.4/usb-serial-ir-usb-fix-irlap-framing.patch new file mode 100644 index 00000000000..cffc8c6544b --- /dev/null +++ b/queue-4.4/usb-serial-ir-usb-fix-irlap-framing.patch @@ -0,0 +1,173 @@ +From 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:28 +0100 +Subject: USB: serial: ir-usb: fix IrLAP framing + +From: Johan Hovold + +commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream. + +Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +switched to using the generic write implementation which may combine +multiple write requests into larger transfers. This can break the IrLAP +protocol where end-of-frame is determined using the USB short packet +mechanism, for example, if multiple frames are sent in rapid succession. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Cc: stable # 2.6.35 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ir-usb.c | 113 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 91 insertions(+), 22 deletions(-) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -49,9 +49,10 @@ static int buffer_size; + static int xbof = -1; + + static int ir_startup (struct usb_serial *serial); +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port); +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size); ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count); ++static int ir_write_room(struct tty_struct *tty); ++static void ir_write_bulk_callback(struct urb *urb); + static void ir_process_read_urb(struct urb *urb); + static void ir_set_termios(struct tty_struct *tty, + struct usb_serial_port *port, struct ktermios *old_termios); +@@ -81,8 +82,9 @@ static struct usb_serial_driver ir_devic + .num_ports = 1, + .set_termios = ir_set_termios, + .attach = ir_startup, +- .open = ir_open, +- .prepare_write_buffer = ir_prepare_write_buffer, ++ .write = ir_write, ++ .write_room = ir_write_room, ++ .write_bulk_callback = ir_write_bulk_callback, + .process_read_urb = ir_process_read_urb, + }; + +@@ -255,35 +257,102 @@ static int ir_startup(struct usb_serial + return 0; + } + +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port) ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count) + { +- int i; ++ struct urb *urb = NULL; ++ unsigned long flags; ++ int ret; + +- for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) +- port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET; ++ if (port->bulk_out_size == 0) ++ return -EINVAL; + +- /* Start reading from the device */ +- return usb_serial_generic_open(tty, port); +-} ++ if (count == 0) ++ return 0; + +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size) +-{ +- unsigned char *buf = dest; +- int count; ++ count = min(count, port->bulk_out_size - 1); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ if (__test_and_clear_bit(0, &port->write_urbs_free)) { ++ urb = port->write_urbs[0]; ++ port->tx_bytes += count; ++ } ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ if (!urb) ++ return 0; + + /* + * The first byte of the packet we send to the device contains an +- * inbound header which indicates an additional number of BOFs and ++ * outbound header which indicates an additional number of BOFs and + * a baud rate change. + * + * See section 5.4.2.2 of the USB IrDA spec. + */ +- *buf = ir_xbof | ir_baud; ++ *(u8 *)urb->transfer_buffer = ir_xbof | ir_baud; ++ ++ memcpy(urb->transfer_buffer + 1, buf, count); ++ ++ urb->transfer_buffer_length = count + 1; ++ urb->transfer_flags = URB_ZERO_PACKET; ++ ++ ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (ret) { ++ dev_err(&port->dev, "failed to submit write urb: %d\n", ret); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= count; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ return ret; ++ } ++ ++ return count; ++} ++ ++static void ir_write_bulk_callback(struct urb *urb) ++{ ++ struct usb_serial_port *port = urb->context; ++ int status = urb->status; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= urb->transfer_buffer_length - 1; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ switch (status) { ++ case 0: ++ break; ++ case -ENOENT: ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ dev_dbg(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ case -EPIPE: ++ dev_err(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ default: ++ dev_err(&port->dev, "nonzero write-urb status: %d\n", status); ++ break; ++ } ++ ++ usb_serial_port_softint(port); ++} ++ ++static int ir_write_room(struct tty_struct *tty) ++{ ++ struct usb_serial_port *port = tty->driver_data; ++ int count = 0; ++ ++ if (port->bulk_out_size == 0) ++ return 0; ++ ++ if (test_bit(0, &port->write_urbs_free)) ++ count = port->bulk_out_size - 1; + +- count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1, +- &port->lock); +- return count + 1; ++ return count; + } + + static void ir_process_read_urb(struct urb *urb) diff --git a/queue-4.4/usb-serial-ir-usb-fix-link-speed-handling.patch b/queue-4.4/usb-serial-ir-usb-fix-link-speed-handling.patch new file mode 100644 index 00000000000..eac85e9087a --- /dev/null +++ b/queue-4.4/usb-serial-ir-usb-fix-link-speed-handling.patch @@ -0,0 +1,102 @@ +From 17a0184ca17e288decdca8b2841531e34d49285f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:27 +0100 +Subject: USB: serial: ir-usb: fix link-speed handling + +From: Johan Hovold + +commit 17a0184ca17e288decdca8b2841531e34d49285f upstream. + +Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB +IrDA header with common defines, but mistakingly switched to using the +class-descriptor baud-rate bitmask values for the outbound header. + +This broke link-speed handling for rates above 9600 baud, but a device +would also be able to operate at the default 9600 baud until a +link-speed request was issued (e.g. using the TCGETS ioctl). + +Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module") +Cc: stable # 2.6.27 +Cc: Felipe Balbi +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ir-usb.c | 20 ++++++++++---------- + include/linux/usb/irda.h | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -336,34 +336,34 @@ static void ir_set_termios(struct tty_st + + switch (baud) { + case 2400: +- ir_baud = USB_IRDA_BR_2400; ++ ir_baud = USB_IRDA_LS_2400; + break; + case 9600: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + break; + case 19200: +- ir_baud = USB_IRDA_BR_19200; ++ ir_baud = USB_IRDA_LS_19200; + break; + case 38400: +- ir_baud = USB_IRDA_BR_38400; ++ ir_baud = USB_IRDA_LS_38400; + break; + case 57600: +- ir_baud = USB_IRDA_BR_57600; ++ ir_baud = USB_IRDA_LS_57600; + break; + case 115200: +- ir_baud = USB_IRDA_BR_115200; ++ ir_baud = USB_IRDA_LS_115200; + break; + case 576000: +- ir_baud = USB_IRDA_BR_576000; ++ ir_baud = USB_IRDA_LS_576000; + break; + case 1152000: +- ir_baud = USB_IRDA_BR_1152000; ++ ir_baud = USB_IRDA_LS_1152000; + break; + case 4000000: +- ir_baud = USB_IRDA_BR_4000000; ++ ir_baud = USB_IRDA_LS_4000000; + break; + default: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + baud = 9600; + } + +--- a/include/linux/usb/irda.h ++++ b/include/linux/usb/irda.h +@@ -118,11 +118,22 @@ struct usb_irda_cs_descriptor { + * 6 - 115200 bps + * 7 - 576000 bps + * 8 - 1.152 Mbps +- * 9 - 5 mbps ++ * 9 - 4 Mbps + * 10..15 - Reserved + */ + #define USB_IRDA_STATUS_LINK_SPEED 0x0f + ++#define USB_IRDA_LS_NO_CHANGE 0 ++#define USB_IRDA_LS_2400 1 ++#define USB_IRDA_LS_9600 2 ++#define USB_IRDA_LS_19200 3 ++#define USB_IRDA_LS_38400 4 ++#define USB_IRDA_LS_57600 5 ++#define USB_IRDA_LS_115200 6 ++#define USB_IRDA_LS_576000 7 ++#define USB_IRDA_LS_1152000 8 ++#define USB_IRDA_LS_4000000 9 ++ + /* The following is a 4-bit value used only for + * outbound header: + * diff --git a/queue-4.4/zd1211rw-fix-storage-endpoint-lookup.patch b/queue-4.4/zd1211rw-fix-storage-endpoint-lookup.patch new file mode 100644 index 00000000000..281b9098d62 --- /dev/null +++ b/queue-4.4/zd1211rw-fix-storage-endpoint-lookup.patch @@ -0,0 +1,37 @@ +From 2d68bb2687abb747558b933e80845ff31570a49c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:26 +0100 +Subject: zd1211rw: fix storage endpoint lookup + +From: Johan Hovold + +commit 2d68bb2687abb747558b933e80845ff31570a49c upstream. + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device") +Cc: stable # 2.6.19 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/zd1211rw/zd_usb.c ++++ b/drivers/net/wireless/zd1211rw/zd_usb.c +@@ -1272,7 +1272,7 @@ static void print_id(struct usb_device * + static int eject_installer(struct usb_interface *intf) + { + struct usb_device *udev = interface_to_usbdev(intf); +- struct usb_host_interface *iface_desc = &intf->altsetting[0]; ++ struct usb_host_interface *iface_desc = intf->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep;