From: Greg Kroah-Hartman Date: Sun, 13 Jun 2021 12:22:56 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.273~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=880f41ba727af60905eb7cdbc44c27734d5bdc83;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch cgroup1-don-t-allow-n-in-renaming.patch drm-fix-use-after-free-read-in-drm_getunique.patch drm-lock-pointer-access-in-drm_master_release.patch kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch staging-rtl8723bs-fix-uninitialized-variables.patch usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch usb-dwc3-ep0-fix-null-pointer-exception.patch usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch usb-fix-various-gadget-panics-on-10gbps-cabling.patch usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch usb-gadget-eem-fix-wrong-eem-header-operation.patch usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch usb-serial-quatech2-fix-control-request-directions.patch usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch --- diff --git a/queue-4.19/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch b/queue-4.19/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch new file mode 100644 index 00000000000..3497c38c95b --- /dev/null +++ b/queue-4.19/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch @@ -0,0 +1,42 @@ +From e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Sun, 30 May 2021 20:24:05 +0530 +Subject: btrfs: return value from btrfs_mark_extent_written() in case of error + +From: Ritesh Harjani + +commit e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb upstream. + +We always return 0 even in case of an error in btrfs_mark_extent_written(). +Fix it to return proper error value in case of a failure. All callers +handle it. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Ritesh Harjani +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1154,7 +1154,7 @@ int btrfs_mark_extent_written(struct btr + int del_nr = 0; + int del_slot = 0; + int recow; +- int ret; ++ int ret = 0; + u64 ino = btrfs_ino(inode); + + path = btrfs_alloc_path(); +@@ -1374,7 +1374,7 @@ again: + } + out: + btrfs_free_path(path); +- return 0; ++ return ret; + } + + /* diff --git a/queue-4.19/cgroup1-don-t-allow-n-in-renaming.patch b/queue-4.19/cgroup1-don-t-allow-n-in-renaming.patch new file mode 100644 index 00000000000..4f2c9a9c9c6 --- /dev/null +++ b/queue-4.19/cgroup1-don-t-allow-n-in-renaming.patch @@ -0,0 +1,57 @@ +From b7e24eb1caa5f8da20d405d262dba67943aedc42 Mon Sep 17 00:00:00 2001 +From: Alexander Kuznetsov +Date: Wed, 9 Jun 2021 10:17:19 +0300 +Subject: cgroup1: don't allow '\n' in renaming + +From: Alexander Kuznetsov + +commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream. + +cgroup_mkdir() have restriction on newline usage in names: +$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2' +mkdir: cannot create directory +'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument + +But in cgroup1_rename() such check is missed. +This allows us to make /proc//cgroup unparsable: +$ mkdir /sys/fs/cgroup/cpu/test +$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2' +$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2' +$ cat /proc/self/cgroup +11:pids:/ +10:freezer:/ +9:hugetlb:/ +8:cpuset:/ +7:blkio:/user.slice +6:memory:/user.slice +5:net_cls,net_prio:/ +4:perf_event:/ +3:devices:/user.slice +2:cpu,cpuacct:/test +test2 +1:name=systemd:/ +0::/ + +Signed-off-by: Alexander Kuznetsov +Reported-by: Andrey Krasichkov +Acked-by: Dmitry Yakunin +Cc: stable@vger.kernel.org +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup-v1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -849,6 +849,10 @@ static int cgroup1_rename(struct kernfs_ + struct cgroup *cgrp = kn->priv; + int ret; + ++ /* do not accept '\n' to prevent making /proc//cgroup unparsable */ ++ if (strchr(new_name_str, '\n')) ++ return -EINVAL; ++ + if (kernfs_type(kn) != KERNFS_DIR) + return -ENOTDIR; + if (kn->parent != new_parent) diff --git a/queue-4.19/drm-fix-use-after-free-read-in-drm_getunique.patch b/queue-4.19/drm-fix-use-after-free-read-in-drm_getunique.patch new file mode 100644 index 00000000000..e22562ef5d9 --- /dev/null +++ b/queue-4.19/drm-fix-use-after-free-read-in-drm_getunique.patch @@ -0,0 +1,62 @@ +From b436acd1cf7fac0ba987abd22955d98025c80c2b Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Tue, 8 Jun 2021 19:04:36 +0800 +Subject: drm: Fix use-after-free read in drm_getunique() + +From: Desmond Cheong Zhi Xi + +commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream. + +There is a time-of-check-to-time-of-use error in drm_getunique() due +to retrieving file_priv->master prior to locking the device's master +mutex. + +An example can be seen in the crash report of the use-after-free error +found by Syzbot: +https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 + +In the report, the master pointer was used after being freed. This is +because another process had acquired the device's master mutex in +drm_setmaster_ioctl(), then overwrote fpriv->master in +drm_new_set_master(). The old value of fpriv->master was subsequently +freed before the mutex was unlocked. + +To fix this, we lock the device's master mutex before retrieving the +pointer from from fpriv->master. This patch passes the Syzbot +reproducer test. + +Reported-by: syzbot+c3a706cec1ea99e1c693@syzkaller.appspotmail.com +Signed-off-by: Desmond Cheong Zhi Xi +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmondcheongzx@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_ioctl.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -112,17 +112,18 @@ int drm_getunique(struct drm_device *dev + struct drm_file *file_priv) + { + struct drm_unique *u = data; +- struct drm_master *master = file_priv->master; ++ struct drm_master *master; + +- mutex_lock(&master->dev->master_mutex); ++ mutex_lock(&dev->master_mutex); ++ master = file_priv->master; + if (u->unique_len >= master->unique_len) { + if (copy_to_user(u->unique, master->unique, master->unique_len)) { +- mutex_unlock(&master->dev->master_mutex); ++ mutex_unlock(&dev->master_mutex); + return -EFAULT; + } + } + u->unique_len = master->unique_len; +- mutex_unlock(&master->dev->master_mutex); ++ mutex_unlock(&dev->master_mutex); + + return 0; + } diff --git a/queue-4.19/drm-lock-pointer-access-in-drm_master_release.patch b/queue-4.19/drm-lock-pointer-access-in-drm_master_release.patch new file mode 100644 index 00000000000..1b318d8671d --- /dev/null +++ b/queue-4.19/drm-lock-pointer-access-in-drm_master_release.patch @@ -0,0 +1,52 @@ +From c336a5ee984708db4826ef9e47d184e638e29717 Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Wed, 9 Jun 2021 17:21:19 +0800 +Subject: drm: Lock pointer access in drm_master_release() + +From: Desmond Cheong Zhi Xi + +commit c336a5ee984708db4826ef9e47d184e638e29717 upstream. + +This patch eliminates the following smatch warning: +drivers/gpu/drm/drm_auth.c:320 drm_master_release() warn: unlocked access 'master' (line 318) expected lock '&dev->master_mutex' + +The 'file_priv->master' field should be protected by the mutex lock to +'&dev->master_mutex'. This is because other processes can concurrently +modify this field and free the current 'file_priv->master' +pointer. This could result in a use-after-free error when 'master' is +dereferenced in subsequent function calls to +'drm_legacy_lock_master_cleanup()' or to 'drm_lease_revoke()'. + +An example of a scenario that would produce this error can be seen +from a similar bug in 'drm_getunique()' that was reported by Syzbot: +https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 + +In the Syzbot report, another process concurrently acquired the +device's master mutex in 'drm_setmaster_ioctl()', then overwrote +'fpriv->master' in 'drm_new_set_master()'. The old value of +'fpriv->master' was subsequently freed before the mutex was unlocked. + +Reported-by: Dan Carpenter +Signed-off-by: Desmond Cheong Zhi Xi +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210609092119.173590-1-desmondcheongzx@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_auth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -265,9 +265,10 @@ int drm_master_open(struct drm_file *fil + void drm_master_release(struct drm_file *file_priv) + { + struct drm_device *dev = file_priv->minor->dev; +- struct drm_master *master = file_priv->master; ++ struct drm_master *master; + + mutex_lock(&dev->master_mutex); ++ master = file_priv->master; + if (file_priv->magic) + idr_remove(&file_priv->master->magic_map, file_priv->magic); + diff --git a/queue-4.19/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch b/queue-4.19/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch new file mode 100644 index 00000000000..e2e79ec9bcc --- /dev/null +++ b/queue-4.19/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch @@ -0,0 +1,75 @@ +From da27a83fd6cc7780fea190e1f5c19e87019da65c Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 8 Jun 2021 15:31:42 -0400 +Subject: kvm: avoid speculation-based attacks from out-of-range memslot accesses + +From: Paolo Bonzini + +commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream. + +KVM's mechanism for accessing guest memory translates a guest physical +address (gpa) to a host virtual address using the right-shifted gpa +(also known as gfn) and a struct kvm_memory_slot. The translation is +performed in __gfn_to_hva_memslot using the following formula: + + hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE + +It is expected that gfn falls within the boundaries of the guest's +physical memory. However, a guest can access invalid physical addresses +in such a way that the gfn is invalid. + +__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first +retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot +does check that the gfn falls within the boundaries of the guest's +physical memory or not, a CPU can speculate the result of the check and +continue execution speculatively using an illegal gfn. The speculation +can result in calculating an out-of-bounds hva. If the resulting host +virtual address is used to load another guest physical address, this +is effectively a Spectre gadget consisting of two consecutive reads, +the second of which is data dependent on the first. + +Right now it's not clear if there are any cases in which this is +exploitable. One interesting case was reported by the original author +of this patch, and involves visiting guest page tables on x86. Right +now these are not vulnerable because the hva read goes through get_user(), +which contains an LFENCE speculation barrier. However, there are +patches in progress for x86 uaccess.h to mask kernel addresses instead of +using LFENCE; once these land, a guest could use speculation to read +from the VMM's ring 3 address space. Other architectures such as ARM +already use the address masking method, and would be susceptible to +this same kind of data-dependent access gadgets. Therefore, this patch +proactively protects from these attacks by masking out-of-bounds gfns +in __gfn_to_hva_memslot, which blocks speculation of invalid hvas. + +Sean Christopherson noted that this patch does not cover +kvm_read_guest_offset_cached. This however is limited to a few bytes +past the end of the cache, and therefore it is unlikely to be useful in +the context of building a chain of data dependent accesses. + +Reported-by: Artemiy Margaritov +Co-developed-by: Artemiy Margaritov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1017,7 +1017,15 @@ __gfn_to_memslot(struct kvm_memslots *sl + static inline unsigned long + __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn) + { +- return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE; ++ /* ++ * The index was checked originally in search_memslots. To avoid ++ * that a malicious guest builds a Spectre gadget out of e.g. page ++ * table walks, do not let the processor speculate loads outside ++ * the guest's registered memslots. ++ */ ++ unsigned long offset = array_index_nospec(gfn - slot->base_gfn, ++ slot->npages); ++ return slot->userspace_addr + offset * PAGE_SIZE; + } + + static inline int memslot_id(struct kvm *kvm, gfn_t gfn) diff --git a/queue-4.19/series b/queue-4.19/series index 3f225dc728e..722ceb049c8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -26,3 +26,23 @@ i2c-mpc-make-use-of-i2c_recover_bus.patch i2c-mpc-implement-erratum-a-004447-workaround.patch arm-dts-imx6qdl-sabresd-assign-corresponding-power-supply-for-ldos.patch arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch +drm-fix-use-after-free-read-in-drm_getunique.patch +drm-lock-pointer-access-in-drm_master_release.patch +kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch +staging-rtl8723bs-fix-uninitialized-variables.patch +btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch +cgroup1-don-t-allow-n-in-renaming.patch +usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch +usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch +usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch +usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch +usb-dwc3-ep0-fix-null-pointer-exception.patch +usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch +usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch +usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch +usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch +usb-serial-quatech2-fix-control-request-directions.patch +usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch +usb-gadget-eem-fix-wrong-eem-header-operation.patch +usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch +usb-fix-various-gadget-panics-on-10gbps-cabling.patch diff --git a/queue-4.19/staging-rtl8723bs-fix-uninitialized-variables.patch b/queue-4.19/staging-rtl8723bs-fix-uninitialized-variables.patch new file mode 100644 index 00000000000..74856e884cd --- /dev/null +++ b/queue-4.19/staging-rtl8723bs-fix-uninitialized-variables.patch @@ -0,0 +1,69 @@ +From 43c85d770db80cb135f576f8fde6ff1a08e707a4 Mon Sep 17 00:00:00 2001 +From: Wenli Looi +Date: Mon, 7 Jun 2021 23:46:20 -0700 +Subject: staging: rtl8723bs: Fix uninitialized variables + +From: Wenli Looi + +commit 43c85d770db80cb135f576f8fde6ff1a08e707a4 upstream. + +The sinfo.pertid and sinfo.generation variables are not initialized and +it causes a crash when we use this as a wireless access point. + +[ 456.873025] ------------[ cut here ]------------ +[ 456.878198] kernel BUG at mm/slub.c:3968! +[ 456.882680] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM + + [ snip ] + +[ 457.271004] Backtrace: +[ 457.273733] [] (kfree) from [] (nl80211_send_station+0x954/0xfc4) +[ 457.282481] r9:eccca0c0 r8:e8edfec0 r7:00000000 r6:00000011 r5:e80a9480 r4:e8edfe00 +[ 457.291132] [] (nl80211_send_station) from [] (cfg80211_new_sta+0x90/0x1cc) +[ 457.300850] r10:e80a9480 r9:e8edfe00 r8:ea678cca r7:00000a20 r6:00000000 r5:ec46d000 +[ 457.309586] r4:ec46d9e0 +[ 457.312433] [] (cfg80211_new_sta) from [] (rtw_cfg80211_indicate_sta_assoc+0x80/0x9c [r8723bs]) +[ 457.324095] r10:00009930 r9:e85b9d80 r8:bf091050 r7:00000000 r6:00000000 r5:0000001c +[ 457.332831] r4:c1606788 +[ 457.335692] [] (rtw_cfg80211_indicate_sta_assoc [r8723bs]) from [] (rtw_stassoc_event_callback+0x1c8/0x1d4 [r8723bs]) +[ 457.349489] r7:ea678cc0 r6:000000a1 r5:f1225f84 r4:f086b000 +[ 457.355845] [] (rtw_stassoc_event_callback [r8723bs]) from [] (mlme_evt_hdl+0x8c/0xb4 [r8723bs]) +[ 457.367601] r7:c1604900 r6:f086c4b8 r5:00000000 r4:f086c000 +[ 457.373959] [] (mlme_evt_hdl [r8723bs]) from [] (rtw_cmd_thread+0x198/0x3d8 [r8723bs]) +[ 457.384744] r5:f086e000 r4:f086c000 +[ 457.388754] [] (rtw_cmd_thread [r8723bs]) from [] (kthread+0x170/0x174) +[ 457.398083] r10:ed7a57e8 r9:bf0367a4 r8:f086b000 r7:e8ede000 r6:00000000 r5:e9975200 +[ 457.406828] r4:e8369900 +[ 457.409653] [] (kthread) from [] (ret_from_fork+0x14/0x2c) +[ 457.417718] Exception stack(0xe8edffb0 to 0xe8edfff8) +[ 457.423356] ffa0: 00000000 00000000 00000000 00000000 +[ 457.432492] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 457.441618] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 457.449006] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c014a0a4 +[ 457.457750] r4:e9975200 +[ 457.460574] Code: 1a000003 e5953004 e3130001 1a000000 (e7f001f2) +[ 457.467381] ---[ end trace 4acbc8c15e9e6aa7 ]--- + +Link: https://forum.armbian.com/topic/14727-wifi-ap-kernel-bug-in-kernel-5444/ +Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info") +Fixes: f5ea9120be2e ("nl80211: add generation number to all dumps") +Signed-off-by: Wenli Looi +Reviewed-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/20210608064620.74059-1-wlooi@ucalgary.ca +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c ++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c +@@ -2416,7 +2416,7 @@ void rtw_cfg80211_indicate_sta_assoc(str + DBG_871X(FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter)); + + { +- struct station_info sinfo; ++ struct station_info sinfo = {}; + u8 ie_offset; + if (GetFrameSubType(pmgmt_frame) == WIFI_ASSOCREQ) + ie_offset = _ASOCREQ_IE_OFFSET_; diff --git a/queue-4.19/usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch b/queue-4.19/usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch new file mode 100644 index 00000000000..7cab6b8a673 --- /dev/null +++ b/queue-4.19/usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch @@ -0,0 +1,122 @@ +From 8d396bb0a5b62b326f6be7594d8bd46b088296bd Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Sat, 29 May 2021 12:29:32 -0700 +Subject: usb: dwc3: debugfs: Add and remove endpoint dirs dynamically + +From: Jack Pham + +commit 8d396bb0a5b62b326f6be7594d8bd46b088296bd upstream. + +The DWC3 DebugFS directory and files are currently created once +during probe. This includes creation of subdirectories for each +of the gadget's endpoints. This works fine for peripheral-only +controllers, as dwc3_core_init_mode() calls dwc3_gadget_init() +just prior to calling dwc3_debugfs_init(). + +However, for dual-role controllers, dwc3_core_init_mode() will +instead call dwc3_drd_init() which is problematic in a few ways. +First, the initial state must be determined, then dwc3_set_mode() +will have to schedule drd_work and by then dwc3_debugfs_init() +could have already been invoked. Even if the initial mode is +peripheral, dwc3_gadget_init() happens after the DebugFS files +are created, and worse so if the initial state is host and the +controller switches to peripheral much later. And secondly, +even if the gadget endpoints' debug entries were successfully +created, if the controller exits peripheral mode, its dwc3_eps +are freed so the debug files would now hold stale references. + +So it is best if the DebugFS endpoint entries are created and +removed dynamically at the same time the underlying dwc3_eps are. +Do this by calling dwc3_debugfs_create_endpoint_dir() as each +endpoint is created, and conversely remove the DebugFS entry when +the endpoint is freed. + +Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly") +Cc: stable +Reviewed-by: Peter Chen +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210529192932.22912-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/debug.h | 3 +++ + drivers/usb/dwc3/debugfs.c | 21 ++------------------- + drivers/usb/dwc3/gadget.c | 3 +++ + 3 files changed, 8 insertions(+), 19 deletions(-) + +--- a/drivers/usb/dwc3/debug.h ++++ b/drivers/usb/dwc3/debug.h +@@ -653,9 +653,12 @@ static inline const char *dwc3_gadget_ge + + + #ifdef CONFIG_DEBUG_FS ++extern void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep); + extern void dwc3_debugfs_init(struct dwc3 *); + extern void dwc3_debugfs_exit(struct dwc3 *); + #else ++static inline void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep) ++{ } + static inline void dwc3_debugfs_init(struct dwc3 *d) + { } + static inline void dwc3_debugfs_exit(struct dwc3 *d) +--- a/drivers/usb/dwc3/debugfs.c ++++ b/drivers/usb/dwc3/debugfs.c +@@ -725,30 +725,14 @@ static void dwc3_debugfs_create_endpoint + } + } + +-static void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep, +- struct dentry *parent) ++void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep) + { + struct dentry *dir; + +- dir = debugfs_create_dir(dep->name, parent); ++ dir = debugfs_create_dir(dep->name, dep->dwc->root); + dwc3_debugfs_create_endpoint_files(dep, dir); + } + +-static void dwc3_debugfs_create_endpoint_dirs(struct dwc3 *dwc, +- struct dentry *parent) +-{ +- int i; +- +- for (i = 0; i < dwc->num_eps; i++) { +- struct dwc3_ep *dep = dwc->eps[i]; +- +- if (!dep) +- continue; +- +- dwc3_debugfs_create_endpoint_dir(dep, parent); +- } +-} +- + void dwc3_debugfs_init(struct dwc3 *dwc) + { + struct dentry *root; +@@ -777,7 +761,6 @@ void dwc3_debugfs_init(struct dwc3 *dwc) + &dwc3_testmode_fops); + debugfs_create_file("link_state", S_IRUGO | S_IWUSR, root, dwc, + &dwc3_link_state_fops); +- dwc3_debugfs_create_endpoint_dirs(dwc, root); + } + } + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2255,6 +2255,8 @@ static int dwc3_gadget_init_endpoint(str + INIT_LIST_HEAD(&dep->started_list); + INIT_LIST_HEAD(&dep->cancelled_list); + ++ dwc3_debugfs_create_endpoint_dir(dep); ++ + return 0; + } + +@@ -2298,6 +2300,7 @@ static void dwc3_gadget_free_endpoints(s + list_del(&dep->endpoint.ep_list); + } + ++ debugfs_remove_recursive(debugfs_lookup(dep->name, dwc->root)); + kfree(dep); + } + } diff --git a/queue-4.19/usb-dwc3-ep0-fix-null-pointer-exception.patch b/queue-4.19/usb-dwc3-ep0-fix-null-pointer-exception.patch new file mode 100644 index 00000000000..4c2d61a55c2 --- /dev/null +++ b/queue-4.19/usb-dwc3-ep0-fix-null-pointer-exception.patch @@ -0,0 +1,67 @@ +From d00889080ab60051627dab1d85831cd9db750e2a Mon Sep 17 00:00:00 2001 +From: Marian-Cristian Rotariu +Date: Tue, 8 Jun 2021 19:26:50 +0300 +Subject: usb: dwc3: ep0: fix NULL pointer exception + +From: Marian-Cristian Rotariu + +commit d00889080ab60051627dab1d85831cd9db750e2a upstream. + +There is no validation of the index from dwc3_wIndex_to_dep() and we might +be referring a non-existing ep and trigger a NULL pointer exception. In +certain configurations we might use fewer eps and the index might wrongly +indicate a larger ep index than existing. + +By adding this validation from the patch we can actually report a wrong +index back to the caller. + +In our usecase we are using a composite device on an older kernel, but +upstream might use this fix also. Unfortunately, I cannot describe the +hardware for others to reproduce the issue as it is a proprietary +implementation. + +[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 +[ 82.966891] Mem abort info: +[ 82.969663] ESR = 0x96000006 +[ 82.972703] Exception class = DABT (current EL), IL = 32 bits +[ 82.978603] SET = 0, FnV = 0 +[ 82.981642] EA = 0, S1PTW = 0 +[ 82.984765] Data abort info: +[ 82.987631] ISV = 0, ISS = 0x00000006 +[ 82.991449] CM = 0, WnR = 0 +[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc +[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 +[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) +[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 +[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) +[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c +[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 + +... + +[ 83.141788] Call trace: +[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c +[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 +[ 83.181546] ---[ end trace aac6b5267d84c32f ]--- + +Signed-off-by: Marian-Cristian Rotariu +Cc: stable +Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -292,6 +292,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de + epnum |= 1; + + dep = dwc->eps[epnum]; ++ if (dep == NULL) ++ return NULL; ++ + if (dep->flags & DWC3_EP_ENABLED) + return dep; + diff --git a/queue-4.19/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch b/queue-4.19/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch new file mode 100644 index 00000000000..875b7e2fd02 --- /dev/null +++ b/queue-4.19/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch @@ -0,0 +1,43 @@ +From 3370139745853f7826895293e8ac3aec1430508e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Mon, 7 Jun 2021 17:53:44 -0700 +Subject: USB: f_ncm: ncm_bitrate (speed) is unsigned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 3370139745853f7826895293e8ac3aec1430508e upstream. + +[ 190.544755] configfs-gadget gadget: notify speed -44967296 + +This is because 4250000000 - 2**32 is -44967296. + +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Cc: Brooke Basile +Cc: Bryan O'Donoghue +Cc: Felipe Balbi +Cc: Lorenzo Colitti +Cc: Yauheni Kaliuta +Cc: Linux USB Mailing List +Acked-By: Lorenzo Colitti +Signed-off-by: Maciej Żenczykowski +Cc: stable +Link: https://lore.kernel.org/r/20210608005344.3762668-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -583,7 +583,7 @@ static void ncm_do_notify(struct f_ncm * + data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); + data[1] = data[0]; + +- DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget)); ++ DBG(cdev, "notify speed %u\n", ncm_bitrate(cdev->gadget)); + ncm->notify_state = NCM_NOTIFY_CONNECT; + break; + } diff --git a/queue-4.19/usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch b/queue-4.19/usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch new file mode 100644 index 00000000000..2e99b8de97a --- /dev/null +++ b/queue-4.19/usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch @@ -0,0 +1,60 @@ +From 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Tue, 8 Jun 2021 01:54:38 -0700 +Subject: usb: f_ncm: only first packet of aggregate needs to start timer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe upstream. + +The reasoning for this change is that if we already had +a packet pending, then we also already had a pending timer, +and as such there is no need to reschedule it. + +This also prevents packets getting delayed 60 ms worst case +under a tiny packet every 290us transmit load, by keeping the +timeout always relative to the first queued up packet. +(300us delay * 16KB max aggregation / 80 byte packet =~ 60 ms) + +As such the first packet is now at most delayed by 300us. + +Under low transmit load, this will simply result in us sending +a shorter aggregate, as originally intended. + +This patch has the benefit of greatly reducing (by ~10 factor +with 1500 byte frames aggregated into 16 kiB) the number of +(potentially pretty costly) updates to the hrtimer. + +Cc: Brooke Basile +Cc: Bryan O'Donoghue +Cc: Felipe Balbi +Cc: Lorenzo Colitti +Signed-off-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20210608085438.813960-1-zenczykowski@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1104,11 +1104,11 @@ static struct sk_buff *ncm_wrap_ntb(stru + ncm->ndp_dgram_count = 1; + + /* Note: we skip opts->next_ndp_index */ +- } + +- /* Delay the timer. */ +- hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS, +- HRTIMER_MODE_REL_SOFT); ++ /* Start the timer. */ ++ hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS, ++ HRTIMER_MODE_REL_SOFT); ++ } + + /* Add the datagram position entries */ + ntb_ndp = skb_put_zero(ncm->skb_tx_ndp, dgram_idx_len); diff --git a/queue-4.19/usb-fix-various-gadget-panics-on-10gbps-cabling.patch b/queue-4.19/usb-fix-various-gadget-panics-on-10gbps-cabling.patch new file mode 100644 index 00000000000..c1098a14732 --- /dev/null +++ b/queue-4.19/usb-fix-various-gadget-panics-on-10gbps-cabling.patch @@ -0,0 +1,67 @@ +From 032e288097a553db5653af552dd8035cd2a0ba96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Tue, 8 Jun 2021 19:44:59 -0700 +Subject: usb: fix various gadget panics on 10gbps cabling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 032e288097a553db5653af552dd8035cd2a0ba96 upstream. + +usb_assign_descriptors() is called with 5 parameters, +the last 4 of which are the usb_descriptor_header for: + full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), + high-speed (USB2.0 - 480Mbps), + super-speed (USB3.0 - 5Gbps), + super-speed-plus (USB3.1 - 10Gbps). + +The differences between full/high/super-speed descriptors are usually +substantial (due to changes in the maximum usb block size from 64 to 512 +to 1024 bytes and other differences in the specs), while the difference +between 5 and 10Gbps descriptors may be as little as nothing +(in many cases the same tuning is simply good enough). + +However if a gadget driver calls usb_assign_descriptors() with +a NULL descriptor for super-speed-plus and is then used on a max 10gbps +configuration, the kernel will crash with a null pointer dereference, +when a 10gbps capable device port + cable + host port combination shows up. +(This wouldn't happen if the gadget max-speed was set to 5gbps, but +it of course defaults to the maximum, and there's no real reason to +artificially limit it) + +The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, +if a 10gbps descriptor wasn't provided. + +Obviously this won't fix the problem if the 5gbps descriptor is also +NULL, but such cases can't be so trivially solved (and any such gadgets +are unlikely to be used with USB3 ports any way). + +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Signed-off-by: Maciej Żenczykowski +Cc: stable +Link: https://lore.kernel.org/r/20210609024459.1126080-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/config.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/gadget/config.c ++++ b/drivers/usb/gadget/config.c +@@ -164,6 +164,14 @@ int usb_assign_descriptors(struct usb_fu + { + struct usb_gadget *g = f->config->cdev->gadget; + ++ /* super-speed-plus descriptor falls back to super-speed one, ++ * if such a descriptor was provided, thus avoiding a NULL ++ * pointer dereference if a 5gbps capable gadget is used with ++ * a 10gbps capable config (device port + cable + host port) ++ */ ++ if (!ssp) ++ ssp = ss; ++ + if (fs) { + f->fs_descriptors = usb_copy_descriptors(fs); + if (!f->fs_descriptors) diff --git a/queue-4.19/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch b/queue-4.19/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch new file mode 100644 index 00000000000..53e96dc87b9 --- /dev/null +++ b/queue-4.19/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch @@ -0,0 +1,162 @@ +From 90c4d05780d47e14a50e11a7f17373104cd47d25 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Mon, 7 Jun 2021 21:41:41 -0700 +Subject: usb: fix various gadgets null ptr deref on 10gbps cabling. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 90c4d05780d47e14a50e11a7f17373104cd47d25 upstream. + +This avoids a null pointer dereference in +f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm} +by simply reusing the 5gbps config for 10gbps. + +Fixes: eaef50c76057 ("usb: gadget: Update usb_assign_descriptors for SuperSpeedPlus") +Cc: Christophe JAILLET +Cc: Felipe Balbi +Cc: Gustavo A. R. Silva +Cc: Lorenzo Colitti +Cc: Martin K. Petersen +Cc: Michael R Sweet +Cc: Mike Christie +Cc: Pawel Laszczak +Cc: Peter Chen +Cc: Sudhakar Panneerselvam +Cc: Wei Ming Chen +Cc: Will McVicker +Cc: Zqiang +Reviewed-By: Lorenzo Colitti +Cc: stable +Signed-off-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20210608044141.3898496-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ecm.c | 2 +- + drivers/usb/gadget/function/f_eem.c | 2 +- + drivers/usb/gadget/function/f_hid.c | 3 ++- + drivers/usb/gadget/function/f_loopback.c | 2 +- + drivers/usb/gadget/function/f_printer.c | 3 ++- + drivers/usb/gadget/function/f_rndis.c | 2 +- + drivers/usb/gadget/function/f_serial.c | 2 +- + drivers/usb/gadget/function/f_sourcesink.c | 3 ++- + drivers/usb/gadget/function/f_subset.c | 2 +- + drivers/usb/gadget/function/f_tcm.c | 3 ++- + 10 files changed, 14 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -791,7 +791,7 @@ ecm_bind(struct usb_configuration *c, st + fs_ecm_notify_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function, +- ecm_ss_function, NULL); ++ ecm_ss_function, ecm_ss_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -305,7 +305,7 @@ static int eem_bind(struct usb_configura + eem_ss_out_desc.bEndpointAddress = eem_fs_out_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, eem_fs_function, eem_hs_function, +- eem_ss_function, NULL); ++ eem_ss_function, eem_ss_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -808,7 +808,8 @@ static int hidg_bind(struct usb_configur + hidg_fs_out_ep_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, hidg_fs_descriptors, +- hidg_hs_descriptors, hidg_ss_descriptors, NULL); ++ hidg_hs_descriptors, hidg_ss_descriptors, ++ hidg_ss_descriptors); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_loopback.c ++++ b/drivers/usb/gadget/function/f_loopback.c +@@ -207,7 +207,7 @@ autoconf_fail: + ss_loop_sink_desc.bEndpointAddress = fs_loop_sink_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, fs_loopback_descs, hs_loopback_descs, +- ss_loopback_descs, NULL); ++ ss_loopback_descs, ss_loopback_descs); + if (ret) + return ret; + +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -1063,7 +1063,8 @@ autoconf_fail: + ss_ep_out_desc.bEndpointAddress = fs_ep_out_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, fs_printer_function, +- hs_printer_function, ss_printer_function, NULL); ++ hs_printer_function, ss_printer_function, ++ ss_printer_function); + if (ret) + return ret; + +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -789,7 +789,7 @@ rndis_bind(struct usb_configuration *c, + ss_notify_desc.bEndpointAddress = fs_notify_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, eth_fs_function, eth_hs_function, +- eth_ss_function, NULL); ++ eth_ss_function, eth_ss_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_serial.c ++++ b/drivers/usb/gadget/function/f_serial.c +@@ -233,7 +233,7 @@ static int gser_bind(struct usb_configur + gser_ss_out_desc.bEndpointAddress = gser_fs_out_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, gser_fs_function, gser_hs_function, +- gser_ss_function, NULL); ++ gser_ss_function, gser_ss_function); + if (status) + goto fail; + dev_dbg(&cdev->gadget->dev, "generic ttyGS%d: %s speed IN/%s OUT/%s\n", +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -431,7 +431,8 @@ no_iso: + ss_iso_sink_desc.bEndpointAddress = fs_iso_sink_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, fs_source_sink_descs, +- hs_source_sink_descs, ss_source_sink_descs, NULL); ++ hs_source_sink_descs, ss_source_sink_descs, ++ ss_source_sink_descs); + if (ret) + return ret; + +--- a/drivers/usb/gadget/function/f_subset.c ++++ b/drivers/usb/gadget/function/f_subset.c +@@ -358,7 +358,7 @@ geth_bind(struct usb_configuration *c, s + fs_subset_out_desc.bEndpointAddress; + + status = usb_assign_descriptors(f, fs_eth_function, hs_eth_function, +- ss_eth_function, NULL); ++ ss_eth_function, ss_eth_function); + if (status) + goto fail; + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -2071,7 +2071,8 @@ static int tcm_bind(struct usb_configura + uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, uasp_fs_function_desc, +- uasp_hs_function_desc, uasp_ss_function_desc, NULL); ++ uasp_hs_function_desc, uasp_ss_function_desc, ++ uasp_ss_function_desc); + if (ret) + goto ep_fail; + diff --git a/queue-4.19/usb-gadget-eem-fix-wrong-eem-header-operation.patch b/queue-4.19/usb-gadget-eem-fix-wrong-eem-header-operation.patch new file mode 100644 index 00000000000..c9cbabc4b9d --- /dev/null +++ b/queue-4.19/usb-gadget-eem-fix-wrong-eem-header-operation.patch @@ -0,0 +1,41 @@ +From 305f670846a31a261462577dd0b967c4fa796871 Mon Sep 17 00:00:00 2001 +From: Linyu Yuan +Date: Wed, 9 Jun 2021 07:35:47 +0800 +Subject: usb: gadget: eem: fix wrong eem header operation + +From: Linyu Yuan + +commit 305f670846a31a261462577dd0b967c4fa796871 upstream. + +when skb_clone() or skb_copy_expand() fail, +it should pull skb with lengh indicated by header, +or not it will read network data and check it as header. + +Cc: +Signed-off-by: Linyu Yuan +Link: https://lore.kernel.org/r/20210608233547.3767-1-linyyuan@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_eem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -498,7 +498,7 @@ static int eem_unwrap(struct gether *por + skb2 = skb_clone(skb, GFP_ATOMIC); + if (unlikely(!skb2)) { + DBG(cdev, "unable to unframe EEM packet\n"); +- continue; ++ goto next; + } + skb_trim(skb2, len - ETH_FCS_LEN); + +@@ -508,7 +508,7 @@ static int eem_unwrap(struct gether *por + GFP_ATOMIC); + if (unlikely(!skb3)) { + dev_kfree_skb_any(skb2); +- continue; ++ goto next; + } + dev_kfree_skb_any(skb2); + skb_queue_tail(list, skb3); diff --git a/queue-4.19/usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch b/queue-4.19/usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch new file mode 100644 index 00000000000..f06f04b8c54 --- /dev/null +++ b/queue-4.19/usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch @@ -0,0 +1,42 @@ +From 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Fri, 21 May 2021 17:44:21 -0700 +Subject: usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind + +From: Wesley Cheng + +commit 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 upstream. + +During unbind, ffs_func_eps_disable() will be executed, resulting in +completion callbacks for any pending USB requests. When using AIO, +irrespective of the completion status, io_data work is queued to +io_completion_wq to evaluate and handle the completed requests. Since +work runs asynchronously to the unbind() routine, there can be a +scenario where the work runs after the USB gadget has been fully +removed, resulting in accessing of a resource which has been already +freed. (i.e. usb_ep_free_request() accessing the USB ep structure) + +Explicitly drain the io_completion_wq, instead of relying on the +destroy_workqueue() (in ffs_data_put()) to make sure no pending +completion work items are running. + +Signed-off-by: Wesley Cheng +Cc: stable +Link: https://lore.kernel.org/r/1621644261-1236-1-git-send-email-wcheng@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3469,6 +3469,9 @@ static void ffs_func_unbind(struct usb_c + ffs->func = NULL; + } + ++ /* Drain any pending AIO completions */ ++ drain_workqueue(ffs->io_completion_wq); ++ + if (!--opts->refcnt) + functionfs_unbind(ffs); + diff --git a/queue-4.19/usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch b/queue-4.19/usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch new file mode 100644 index 00000000000..ae3c4e4eed7 --- /dev/null +++ b/queue-4.19/usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch @@ -0,0 +1,35 @@ +From 6490fa565534fa83593278267785a694fd378a2b Mon Sep 17 00:00:00 2001 +From: Kyle Tso +Date: Fri, 28 May 2021 16:16:13 +0800 +Subject: usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms + +From: Kyle Tso + +commit 6490fa565534fa83593278267785a694fd378a2b upstream. + +Current timer PD_T_SINK_WAIT_CAP is set to 240ms which will violate the +SinkWaitCapTimer (tTypeCSinkWaitCap 310 - 620 ms) defined in the PD +Spec if the port is faster enough when running the state machine. Set it +to the lower bound 310ms to ensure the timeout is in Spec. + +Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") +Cc: stable +Reviewed-by: Guenter Roeck +Signed-off-by: Kyle Tso +Link: https://lore.kernel.org/r/20210528081613.730661-1-kyletso@google.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/usb/pd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/usb/pd.h ++++ b/include/linux/usb/pd.h +@@ -434,7 +434,7 @@ static inline unsigned int rdo_max_power + #define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */ + #define PD_T_SOURCE_ACTIVITY 45 + #define PD_T_SINK_ACTIVITY 135 +-#define PD_T_SINK_WAIT_CAP 240 ++#define PD_T_SINK_WAIT_CAP 310 /* 310 - 620 ms */ + #define PD_T_PS_TRANSITION 500 + #define PD_T_SRC_TRANSITION 35 + #define PD_T_DRP_SNK 40 diff --git a/queue-4.19/usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch b/queue-4.19/usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch new file mode 100644 index 00000000000..1b315f442fb --- /dev/null +++ b/queue-4.19/usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch @@ -0,0 +1,63 @@ +From 6f7ec77cc8b64ff5037c1945e4650c65c458037d Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Fri, 28 May 2021 22:39:31 +0200 +Subject: USB: serial: cp210x: fix alternate function for CP2102N QFN20 + +From: Stefan Agner + +commit 6f7ec77cc8b64ff5037c1945e4650c65c458037d upstream. + +The QFN20 part has a different GPIO/port function assignment. The +configuration struct bit field ordered as TX/RX/RS485/WAKEUP/CLK +which exactly matches GPIO0-3 for QFN24/28. However, QFN20 has a +different GPIO to primary function assignment. + +Special case QFN20 to follow to properly detect which GPIOs are +available. + +Signed-off-by: Stefan Agner +Link: https://lore.kernel.org/r/51830b2b24118eb0f77c5c9ac64ffb2f519dbb1d.1622218300.git.stefan@agner.ch +Fixes: c8acfe0aadbe ("USB: serial: cp210x: implement GPIO support for CP2102N") +Cc: stable@vger.kernel.org # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -485,6 +485,12 @@ struct cp210x_config { + #define CP210X_2NCONFIG_GPIO_RSTLATCH_IDX 587 + #define CP210X_2NCONFIG_GPIO_CONTROL_IDX 600 + ++/* CP2102N QFN20 port configuration values */ ++#define CP2102N_QFN20_GPIO2_TXLED_MODE BIT(2) ++#define CP2102N_QFN20_GPIO3_RXLED_MODE BIT(3) ++#define CP2102N_QFN20_GPIO1_RS485_MODE BIT(4) ++#define CP2102N_QFN20_GPIO0_CLK_MODE BIT(6) ++ + /* CP210X_VENDOR_SPECIFIC, CP210X_WRITE_LATCH call writes these 0x2 bytes. */ + struct cp210x_gpio_write { + u8 mask; +@@ -1630,7 +1636,19 @@ static int cp2102n_gpioconf_init(struct + priv->gpio_pushpull = (gpio_pushpull >> 3) & 0x0f; + + /* 0 indicates GPIO mode, 1 is alternate function */ +- priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f; ++ if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN20) { ++ /* QFN20 is special... */ ++ if (gpio_ctrl & CP2102N_QFN20_GPIO0_CLK_MODE) /* GPIO 0 */ ++ priv->gpio_altfunc |= BIT(0); ++ if (gpio_ctrl & CP2102N_QFN20_GPIO1_RS485_MODE) /* GPIO 1 */ ++ priv->gpio_altfunc |= BIT(1); ++ if (gpio_ctrl & CP2102N_QFN20_GPIO2_TXLED_MODE) /* GPIO 2 */ ++ priv->gpio_altfunc |= BIT(2); ++ if (gpio_ctrl & CP2102N_QFN20_GPIO3_RXLED_MODE) /* GPIO 3 */ ++ priv->gpio_altfunc |= BIT(3); ++ } else { ++ priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f; ++ } + + /* + * The CP2102N does not strictly has input and output pin modes, diff --git a/queue-4.19/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch b/queue-4.19/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch new file mode 100644 index 00000000000..e55bf44e319 --- /dev/null +++ b/queue-4.19/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch @@ -0,0 +1,40 @@ +From bc96c72df33ee81b24d87eab953c73f7bcc04f29 Mon Sep 17 00:00:00 2001 +From: George McCollister +Date: Thu, 3 Jun 2021 19:32:08 -0500 +Subject: USB: serial: ftdi_sio: add NovaTech OrionMX product ID + +From: George McCollister + +commit bc96c72df33ee81b24d87eab953c73f7bcc04f29 upstream. + +Add PID for the NovaTech OrionMX so it can be automatically detected. + +Signed-off-by: George McCollister +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -601,6 +601,7 @@ static const struct usb_device_id id_tab + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -581,6 +581,7 @@ + #define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ + #define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ + #define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ ++#define FTDI_NT_ORIONMX_PID 0x7c93 /* OrionMX */ + + /* + * Synapse Wireless product ids (FTDI_VID) diff --git a/queue-4.19/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch b/queue-4.19/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch new file mode 100644 index 00000000000..5c25ee1f54e --- /dev/null +++ b/queue-4.19/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch @@ -0,0 +1,48 @@ +From fc0b3dc9a11771c3919eaaaf9d649138b095aa0f Mon Sep 17 00:00:00 2001 +From: Alexandre GRIVEAUX +Date: Sun, 23 May 2021 18:35:21 +0200 +Subject: USB: serial: omninet: add device id for Zyxel Omni 56K Plus + +From: Alexandre GRIVEAUX + +commit fc0b3dc9a11771c3919eaaaf9d649138b095aa0f upstream. + +Add device id for Zyxel Omni 56K Plus modem, this modem include: + +USB chip: +NetChip +NET2888 + +Main chip: +901041A +F721501APGF + +Another modem using the same chips is the Zyxel Omni 56K DUO/NEO, +could be added with the right USB ID. + +Signed-off-by: Alexandre GRIVEAUX +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/omninet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -26,6 +26,7 @@ + + #define ZYXEL_VENDOR_ID 0x0586 + #define ZYXEL_OMNINET_ID 0x1000 ++#define ZYXEL_OMNI_56K_PLUS_ID 0x1500 + /* This one seems to be a re-branded ZyXEL device */ + #define BT_IGNITIONPRO_ID 0x2000 + +@@ -40,6 +41,7 @@ static int omninet_port_remove(struct us + + static const struct usb_device_id id_table[] = { + { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNINET_ID) }, ++ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNI_56K_PLUS_ID) }, + { USB_DEVICE(ZYXEL_VENDOR_ID, BT_IGNITIONPRO_ID) }, + { } /* Terminating entry */ + }; diff --git a/queue-4.19/usb-serial-quatech2-fix-control-request-directions.patch b/queue-4.19/usb-serial-quatech2-fix-control-request-directions.patch new file mode 100644 index 00000000000..1fb7049a542 --- /dev/null +++ b/queue-4.19/usb-serial-quatech2-fix-control-request-directions.patch @@ -0,0 +1,52 @@ +From eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 11:17:05 +0200 +Subject: USB: serial: quatech2: fix control-request directions + +From: Johan Hovold + +commit eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the three requests which erroneously used usb_rcvctrlpipe(). + +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/quatech2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -416,7 +416,7 @@ static void qt2_close(struct usb_serial_ + + /* flush the port transmit buffer */ + i = usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), ++ usb_sndctrlpipe(serial->dev, 0), + QT2_FLUSH_DEVICE, 0x40, 1, + port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT); + +@@ -426,7 +426,7 @@ static void qt2_close(struct usb_serial_ + + /* flush the port receive buffer */ + i = usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), ++ usb_sndctrlpipe(serial->dev, 0), + QT2_FLUSH_DEVICE, 0x40, 0, + port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT); + +@@ -693,7 +693,7 @@ static int qt2_attach(struct usb_serial + int status; + + /* power on unit */ +- status = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), ++ status = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), + 0xc2, 0x40, 0x8000, 0, NULL, 0, + QT2_USB_TIMEOUT); + if (status < 0) { diff --git a/queue-4.19/usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch b/queue-4.19/usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch new file mode 100644 index 00000000000..175095bfae3 --- /dev/null +++ b/queue-4.19/usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch @@ -0,0 +1,48 @@ +From f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e Mon Sep 17 00:00:00 2001 +From: Mayank Rana +Date: Wed, 9 Jun 2021 00:35:35 -0700 +Subject: usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path + +From: Mayank Rana + +commit f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e upstream. + +If ucsi_init() fails for some reason (e.g. ucsi_register_port() +fails or general communication failure to the PPM), particularly at +any point after the GET_CAPABILITY command had been issued, this +results in unwinding the initialization and returning an error. +However the ucsi structure's ucsi_capability member retains its +current value, including likely a non-zero num_connectors. +And because ucsi_init() itself is done in a workqueue a UCSI +interface driver will be unaware that it failed and may think the +ucsi_register() call was completely successful. Later, if +ucsi_unregister() is called, due to this stale ucsi->cap value it +would try to access the items in the ucsi->connector array which +might not be in a proper state or not even allocated at all and +results in NULL or invalid pointer dereference. + +Fix this by clearing the ucsi->cap value to 0 during the error +path of ucsi_init() in order to prevent a later ucsi_unregister() +from entering the connector cleanup loop. + +Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") +Cc: stable@vger.kernel.org +Acked-by: Heikki Krogerus +Signed-off-by: Mayank Rana +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210609073535.5094-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -735,6 +735,7 @@ err_unregister: + } + + err_reset: ++ memset(&ucsi->cap, 0, sizeof(ucsi->cap)); + ucsi_reset_ppm(ucsi); + err: + mutex_unlock(&ucsi->ppm_lock);