From: Greg Kroah-Hartman Date: Mon, 13 Dec 2021 08:30:41 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.295~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ec2b74210ea19008d67ed77c6ec028005ca9d25;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch iio-itg3200-call-iio_trigger_notify_done-on-error.patch iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch iio-ltr501-don-t-return-error-code-in-trigger-handler.patch iio-mma8452-fix-trigger-reference-couting.patch iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch usb-core-config-using-bit-mask-instead-of-individual-bits.patch usb-gadget-detect-too-big-endpoint-0-requests.patch usb-gadget-zero-allocate-endpoint-0-buffers.patch --- diff --git a/queue-4.9/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch b/queue-4.9/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch new file mode 100644 index 00000000000..672c7faf367 --- /dev/null +++ b/queue-4.9/iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch @@ -0,0 +1,60 @@ +From 70c9774e180d151abaab358108e3510a8e615215 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 25 Oct 2021 20:41:59 +0800 +Subject: iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove + +From: Yang Yingliang + +commit 70c9774e180d151abaab358108e3510a8e615215 upstream. + +When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the +memory allocated by iio_triggered_buffer_setup() will not be freed, and cause +memory leak as follows: + +unreferenced object 0xffff888009551400 (size 512): + comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s) + hex dump (first 32 bytes): + 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ ....... + backtrace: + [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 + [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] + [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] + [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] + +Fix it by remove data->dready_trig condition in probe and remove. + +Reported-by: Hulk Robot +Fixes: a25691c1f967 ("iio: accel: kxcjk1013: allow using an external trigger") +Signed-off-by: Yang Yingliang +Cc: +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20211025124159.2700301-1-yangyingliang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/kxcjk-1013.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1290,8 +1290,7 @@ static int kxcjk1013_probe(struct i2c_cl + return 0; + + err_buffer_cleanup: +- if (data->dready_trig) +- iio_triggered_buffer_cleanup(indio_dev); ++ iio_triggered_buffer_cleanup(indio_dev); + err_trigger_unregister: + if (data->dready_trig) + iio_trigger_unregister(data->dready_trig); +@@ -1314,8 +1313,8 @@ static int kxcjk1013_remove(struct i2c_c + pm_runtime_set_suspended(&client->dev); + pm_runtime_put_noidle(&client->dev); + ++ iio_triggered_buffer_cleanup(indio_dev); + if (data->dready_trig) { +- iio_triggered_buffer_cleanup(indio_dev); + iio_trigger_unregister(data->dready_trig); + iio_trigger_unregister(data->motion_trig); + } diff --git a/queue-4.9/iio-itg3200-call-iio_trigger_notify_done-on-error.patch b/queue-4.9/iio-itg3200-call-iio_trigger_notify_done-on-error.patch new file mode 100644 index 00000000000..fab2bb2bd77 --- /dev/null +++ b/queue-4.9/iio-itg3200-call-iio_trigger_notify_done-on-error.patch @@ -0,0 +1,41 @@ +From 67fe29583e72b2103abb661bb58036e3c1f00277 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 1 Nov 2021 15:40:54 +0100 +Subject: iio: itg3200: Call iio_trigger_notify_done() on error + +From: Lars-Peter Clausen + +commit 67fe29583e72b2103abb661bb58036e3c1f00277 upstream. + +IIO trigger handlers must call iio_trigger_notify_done() when done. This +must be done even when an error occurred. Otherwise the trigger will be +seen as busy indefinitely and the trigger handler will never be called +again. + +The itg3200 driver neglects to call iio_trigger_notify_done() when there is +an error reading the gyro data. Fix this by making sure that +iio_trigger_notify_done() is included in the error exit path. + +Fixes: 9dbf091da080 ("iio: gyro: Add itg3200") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211101144055.13858-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/itg3200_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/gyro/itg3200_buffer.c ++++ b/drivers/iio/gyro/itg3200_buffer.c +@@ -64,9 +64,9 @@ static irqreturn_t itg3200_trigger_handl + + iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp); + ++error_ret: + iio_trigger_notify_done(indio_dev->trig); + +-error_ret: + return IRQ_HANDLED; + } + diff --git a/queue-4.9/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch b/queue-4.9/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch new file mode 100644 index 00000000000..fa8b750bc8e --- /dev/null +++ b/queue-4.9/iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch @@ -0,0 +1,54 @@ +From 45febe0d63917ee908198c5be08511c64ee1790a Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 19:12:50 +0200 +Subject: iio: kxsd9: Don't return error code in trigger handler + +From: Lars-Peter Clausen + +commit 45febe0d63917ee908198c5be08511c64ee1790a upstream. + +IIO trigger handlers need to return one of the irqreturn_t values. +Returning an error code is not supported. + +The kxsd9 interrupt handler returns an error code if reading the data +registers fails. In addition when exiting due to an error the trigger +handler does not call `iio_trigger_notify_done()`. Which when not done +keeps the triggered disabled forever. + +Modify the code so that the function returns a valid irqreturn_t value as +well as calling `iio_trigger_notify_done()` on all exit paths. + +Since we can't return the error code make sure to at least log it as part +of the error message. + +Fixes: 0427a106a98a ("iio: accel: kxsd9: Add triggered buffer handling") +Signed-off-by: Lars-Peter Clausen +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20211024171251.22896-2-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/kxsd9.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -227,14 +227,14 @@ static irqreturn_t kxsd9_trigger_handler + hw_values.chan, + sizeof(hw_values.chan)); + if (ret) { +- dev_err(st->dev, +- "error reading data\n"); +- return ret; ++ dev_err(st->dev, "error reading data: %d\n", ret); ++ goto out; + } + + iio_push_to_buffers_with_timestamp(indio_dev, + &hw_values, + iio_get_time_ns(indio_dev)); ++out: + iio_trigger_notify_done(indio_dev->trig); + + return IRQ_HANDLED; diff --git a/queue-4.9/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch b/queue-4.9/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch new file mode 100644 index 00000000000..d60ecfe8c19 --- /dev/null +++ b/queue-4.9/iio-ltr501-don-t-return-error-code-in-trigger-handler.patch @@ -0,0 +1,43 @@ +From ef9d67fa72c1b149a420587e435a3e888bdbf74f Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 19:12:49 +0200 +Subject: iio: ltr501: Don't return error code in trigger handler + +From: Lars-Peter Clausen + +commit ef9d67fa72c1b149a420587e435a3e888bdbf74f upstream. + +IIO trigger handlers need to return one of the irqreturn_t values. +Returning an error code is not supported. + +The ltr501 interrupt handler gets this right for most error paths, but +there is one case where it returns the error code. + +In addition for this particular case the trigger handler does not call +`iio_trigger_notify_done()`. Which when not done keeps the triggered +disabled forever. + +Modify the code so that the function returns a valid irqreturn_t value as +well as calling `iio_trigger_notify_done()` on all exit paths. + +Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211024171251.22896-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/ltr501.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/ltr501.c ++++ b/drivers/iio/light/ltr501.c +@@ -1248,7 +1248,7 @@ static irqreturn_t ltr501_trigger_handle + ret = regmap_bulk_read(data->regmap, LTR501_ALS_DATA1, + (u8 *)als_buf, sizeof(als_buf)); + if (ret < 0) +- return ret; ++ goto done; + if (test_bit(0, indio_dev->active_scan_mask)) + scan.channels[j++] = le16_to_cpu(als_buf[1]); + if (test_bit(1, indio_dev->active_scan_mask)) diff --git a/queue-4.9/iio-mma8452-fix-trigger-reference-couting.patch b/queue-4.9/iio-mma8452-fix-trigger-reference-couting.patch new file mode 100644 index 00000000000..c2b86905a4a --- /dev/null +++ b/queue-4.9/iio-mma8452-fix-trigger-reference-couting.patch @@ -0,0 +1,41 @@ +From cd0082235783f814241a1c9483fb89e405f4f892 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 11:26:59 +0200 +Subject: iio: mma8452: Fix trigger reference couting + +From: Lars-Peter Clausen + +commit cd0082235783f814241a1c9483fb89e405f4f892 upstream. + +The mma8452 driver directly assigns a trigger to the struct iio_dev. The +IIO core when done using this trigger will call `iio_trigger_put()` to drop +the reference count by 1. + +Without the matching `iio_trigger_get()` in the driver the reference count +can reach 0 too early, the trigger gets freed while still in use and a +use-after-free occurs. + +Fix this by getting a reference to the trigger before assigning it to the +IIO device. + +Fixes: ae6d9ce05691 ("iio: mma8452: Add support for interrupt driven triggers.") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211024092700.6844-1-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/mma8452.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -1389,7 +1389,7 @@ static int mma8452_trigger_setup(struct + if (ret) + return ret; + +- indio_dev->trig = trig; ++ indio_dev->trig = iio_trigger_get(trig); + + return 0; + } diff --git a/queue-4.9/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch b/queue-4.9/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch new file mode 100644 index 00000000000..2bca24fb0e0 --- /dev/null +++ b/queue-4.9/iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch @@ -0,0 +1,49 @@ +From 8e1eeca5afa7ba84d885987165dbdc5decf15413 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Sun, 24 Oct 2021 19:12:51 +0200 +Subject: iio: stk3310: Don't return error code in interrupt handler + +From: Lars-Peter Clausen + +commit 8e1eeca5afa7ba84d885987165dbdc5decf15413 upstream. + +Interrupt handlers must return one of the irqreturn_t values. Returning a +error code is not supported. + +The stk3310 event interrupt handler returns an error code when reading the +flags register fails. + +Fix the implementation to always return an irqreturn_t value. + +Fixes: 3dd477acbdd1 ("iio: light: Add threshold interrupt support for STK3310") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20211024171251.22896-3-lars@metafoo.de +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/stk3310.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/light/stk3310.c ++++ b/drivers/iio/light/stk3310.c +@@ -546,9 +546,8 @@ static irqreturn_t stk3310_irq_event_han + mutex_lock(&data->lock); + ret = regmap_field_read(data->reg_flag_nf, &dir); + if (ret < 0) { +- dev_err(&data->client->dev, "register read failed\n"); +- mutex_unlock(&data->lock); +- return ret; ++ dev_err(&data->client->dev, "register read failed: %d\n", ret); ++ goto out; + } + event = IIO_UNMOD_EVENT_CODE(IIO_PROXIMITY, 1, + IIO_EV_TYPE_THRESH, +@@ -560,6 +559,7 @@ static irqreturn_t stk3310_irq_event_han + ret = regmap_field_write(data->reg_flag_psint, 0); + if (ret < 0) + dev_err(&data->client->dev, "failed to reset interrupts\n"); ++out: + mutex_unlock(&data->lock); + + return IRQ_HANDLED; diff --git a/queue-4.9/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch b/queue-4.9/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch new file mode 100644 index 00000000000..37b6f6bd0b1 --- /dev/null +++ b/queue-4.9/irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch @@ -0,0 +1,36 @@ +From ce20eff57361e72878a772ef08b5239d3ae102b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 14:00:56 +0100 +Subject: irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit ce20eff57361e72878a772ef08b5239d3ae102b6 upstream. + +IRQ domain alloc function should return zero on success. Non-zero value +indicates failure. + +Signed-off-by: Pali Rohár +Fixes: fcc392d501bd ("irqchip/armada-370-xp: Use the generic MSI infrastructure") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211125130057.26705-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-armada-370-xp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -171,7 +171,7 @@ static int armada_370_xp_msi_alloc(struc + NULL, NULL); + } + +- return hwirq; ++ return 0; + } + + static void armada_370_xp_msi_free(struct irq_domain *domain, diff --git a/queue-4.9/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch b/queue-4.9/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch new file mode 100644 index 00000000000..bdd559f4abd --- /dev/null +++ b/queue-4.9/irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch @@ -0,0 +1,62 @@ +From d0a553502efd545c1ce3fd08fc4d423f8e4ac3d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Thu, 25 Nov 2021 14:00:57 +0100 +Subject: irqchip/armada-370-xp: Fix support for Multi-MSI interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit d0a553502efd545c1ce3fd08fc4d423f8e4ac3d6 upstream. + +irq-armada-370-xp driver already sets MSI_FLAG_MULTI_PCI_MSI flag into +msi_domain_info structure. But allocated interrupt numbers for Multi-MSI +needs to be properly aligned otherwise devices send MSI interrupt with +wrong number. + +Fix this issue by using function bitmap_find_free_region() instead of +bitmap_find_next_zero_area() to allocate aligned interrupt numbers. + +Signed-off-by: Pali Rohár +Fixes: a71b9412c90c ("irqchip/armada-370-xp: Allow allocation of multiple MSIs") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211125130057.26705-2-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-armada-370-xp.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -153,16 +153,12 @@ static int armada_370_xp_msi_alloc(struc + int hwirq, i; + + mutex_lock(&msi_used_lock); ++ hwirq = bitmap_find_free_region(msi_used, PCI_MSI_DOORBELL_NR, ++ order_base_2(nr_irqs)); ++ mutex_unlock(&msi_used_lock); + +- hwirq = bitmap_find_next_zero_area(msi_used, PCI_MSI_DOORBELL_NR, +- 0, nr_irqs, 0); +- if (hwirq >= PCI_MSI_DOORBELL_NR) { +- mutex_unlock(&msi_used_lock); ++ if (hwirq < 0) + return -ENOSPC; +- } +- +- bitmap_set(msi_used, hwirq, nr_irqs); +- mutex_unlock(&msi_used_lock); + + for (i = 0; i < nr_irqs; i++) { + irq_domain_set_info(domain, virq + i, hwirq + i, +@@ -180,7 +176,7 @@ static void armada_370_xp_msi_free(struc + struct irq_data *d = irq_domain_get_irq_data(domain, virq); + + mutex_lock(&msi_used_lock); +- bitmap_clear(msi_used, d->hwirq, nr_irqs); ++ bitmap_release_region(msi_used, d->hwirq, order_base_2(nr_irqs)); + mutex_unlock(&msi_used_lock); + } + diff --git a/queue-4.9/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch b/queue-4.9/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch new file mode 100644 index 00000000000..438ef0ddedb --- /dev/null +++ b/queue-4.9/irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch @@ -0,0 +1,38 @@ +From b383a42ca523ce54bcbd63f7c8f3cf974abc9b9a Mon Sep 17 00:00:00 2001 +From: Wudi Wang +Date: Wed, 8 Dec 2021 09:54:29 +0800 +Subject: irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL + +From: Wudi Wang + +commit b383a42ca523ce54bcbd63f7c8f3cf974abc9b9a upstream. + +INVALL CMD specifies that the ITS must ensure any caching associated with +the interrupt collection defined by ICID is consistent with the LPI +configuration tables held in memory for all Redistributors. SYNC is +required to ensure that INVALL is executed. + +Currently, LPI configuration data may be inconsistent with that in the +memory within a short period of time after the INVALL command is executed. + +Signed-off-by: Wudi Wang +Signed-off-by: Shaokun Zhang +Signed-off-by: Marc Zyngier +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Link: https://lore.kernel.org/r/20211208015429.5007-1-zhangshaokun@hisilicon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -369,7 +369,7 @@ static struct its_collection *its_build_ + + its_fixup_cmd(cmd); + +- return NULL; ++ return desc->its_invall_cmd.col; + } + + static u64 its_cmd_ptr_to_offset(struct its_node *its, diff --git a/queue-4.9/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch b/queue-4.9/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch new file mode 100644 index 00000000000..8df499fe9de --- /dev/null +++ b/queue-4.9/irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch @@ -0,0 +1,33 @@ +From c5e0cbe2858d278a27d5b3fe31890aea5be064c4 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 1 Dec 2021 11:02:58 +0000 +Subject: irqchip: nvic: Fix offset for Interrupt Priority Offsets + +From: Vladimir Murzin + +commit c5e0cbe2858d278a27d5b3fe31890aea5be064c4 upstream. + +According to ARM(v7M) ARM Interrupt Priority Offsets located at +0xE000E400-0xE000E5EC, while 0xE000E300-0xE000E33C covers read-only +Interrupt Active Bit Registers + +Fixes: 292ec080491d ("irqchip: Add support for ARMv7-M NVIC") +Signed-off-by: Vladimir Murzin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211201110259.84857-1-vladimir.murzin@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-nvic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-nvic.c ++++ b/drivers/irqchip/irq-nvic.c +@@ -29,7 +29,7 @@ + + #define NVIC_ISER 0x000 + #define NVIC_ICER 0x080 +-#define NVIC_IPR 0x300 ++#define NVIC_IPR 0x400 + + #define NVIC_MAX_BANKS 16 + /* diff --git a/queue-4.9/series b/queue-4.9/series index b243dc49a5b..43645d07c9d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -26,3 +26,17 @@ net-altera-set-a-couple-error-code-in-probe.patch net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch +usb-gadget-detect-too-big-endpoint-0-requests.patch +usb-gadget-zero-allocate-endpoint-0-buffers.patch +usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch +usb-core-config-using-bit-mask-instead-of-individual-bits.patch +iio-stk3310-don-t-return-error-code-in-interrupt-handler.patch +iio-mma8452-fix-trigger-reference-couting.patch +iio-ltr501-don-t-return-error-code-in-trigger-handler.patch +iio-kxsd9-don-t-return-error-code-in-trigger-handler.patch +iio-itg3200-call-iio_trigger_notify_done-on-error.patch +iio-accel-kxcjk-1013-fix-possible-memory-leak-in-probe-and-remove.patch +irqchip-armada-370-xp-fix-return-value-of-armada_370_xp_msi_alloc.patch +irqchip-armada-370-xp-fix-support-for-multi-msi-interrupts.patch +irqchip-irq-gic-v3-its.c-force-synchronisation-when-issuing-invall.patch +irqchip-nvic-fix-offset-for-interrupt-priority-offsets.patch diff --git a/queue-4.9/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch b/queue-4.9/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch new file mode 100644 index 00000000000..b8ab2382538 --- /dev/null +++ b/queue-4.9/usb-core-config-fix-validation-of-wmaxpacketvalue-entries.patch @@ -0,0 +1,37 @@ +From 1a3910c80966e4a76b25ce812f6bea0ef1b1d530 Mon Sep 17 00:00:00 2001 +From: Pavel Hofman +Date: Fri, 10 Dec 2021 09:52:18 +0100 +Subject: usb: core: config: fix validation of wMaxPacketValue entries + +From: Pavel Hofman + +commit 1a3910c80966e4a76b25ce812f6bea0ef1b1d530 upstream. + +The checks performed by commit aed9d65ac327 ("USB: validate +wMaxPacketValue entries in endpoint descriptors") require that initial +value of the maxp variable contains both maximum packet size bits +(10..0) and multiple-transactions bits (12..11). However, the existing +code assings only the maximum packet size bits. This patch assigns all +bits of wMaxPacketSize to the variable. + +Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") +Cc: stable +Acked-by: Alan Stern +Signed-off-by: Pavel Hofman +Link: https://lore.kernel.org/r/20211210085219.16796-1-pavel.hofman@ivitera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -404,7 +404,7 @@ static int usb_parse_endpoint(struct dev + * the USB-2 spec requires such endpoints to have wMaxPacketSize = 0 + * (see the end of section 5.6.3), so don't warn about them. + */ +- maxp = usb_endpoint_maxp(&endpoint->desc); ++ maxp = le16_to_cpu(endpoint->desc.wMaxPacketSize); + if (maxp == 0 && !(usb_endpoint_xfer_isoc(d) && asnum == 0)) { + dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid wMaxPacketSize 0\n", + cfgno, inum, asnum, d->bEndpointAddress); diff --git a/queue-4.9/usb-core-config-using-bit-mask-instead-of-individual-bits.patch b/queue-4.9/usb-core-config-using-bit-mask-instead-of-individual-bits.patch new file mode 100644 index 00000000000..9e30259c0b3 --- /dev/null +++ b/queue-4.9/usb-core-config-using-bit-mask-instead-of-individual-bits.patch @@ -0,0 +1,34 @@ +From ca5737396927afd4d57b133fd2874bbcf3421cdb Mon Sep 17 00:00:00 2001 +From: Pavel Hofman +Date: Fri, 10 Dec 2021 09:52:19 +0100 +Subject: usb: core: config: using bit mask instead of individual bits + +From: Pavel Hofman + +commit ca5737396927afd4d57b133fd2874bbcf3421cdb upstream. + +Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for +extracting multiple-transactions bits from wMaxPacketSize value. + +Acked-by: Alan Stern +Signed-off-by: Pavel Hofman +Link: https://lore.kernel.org/r/20211210085219.16796-2-pavel.hofman@ivitera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -420,9 +420,9 @@ static int usb_parse_endpoint(struct dev + maxpacket_maxes = full_speed_maxpacket_maxes; + break; + case USB_SPEED_HIGH: +- /* Bits 12..11 are allowed only for HS periodic endpoints */ ++ /* Multiple-transactions bits are allowed only for HS periodic endpoints */ + if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) { +- i = maxp & (BIT(12) | BIT(11)); ++ i = maxp & USB_EP_MAXP_MULT_MASK; + maxp &= ~i; + } + /* fallthrough */ diff --git a/queue-4.9/usb-gadget-detect-too-big-endpoint-0-requests.patch b/queue-4.9/usb-gadget-detect-too-big-endpoint-0-requests.patch new file mode 100644 index 00000000000..69923c127a1 --- /dev/null +++ b/queue-4.9/usb-gadget-detect-too-big-endpoint-0-requests.patch @@ -0,0 +1,104 @@ +From 153a2d7e3350cc89d406ba2d35be8793a64c2038 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Dec 2021 18:59:27 +0100 +Subject: USB: gadget: detect too-big endpoint 0 requests + +From: Greg Kroah-Hartman + +commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream. + +Sometimes USB hosts can ask for buffers that are too large from endpoint +0, which should not be allowed. If this happens for OUT requests, stall +the endpoint, but for IN requests, trim the request size to the endpoint +buffer size. + +Co-developed-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 12 ++++++++++++ + drivers/usb/gadget/legacy/dbgp.c | 13 +++++++++++++ + drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++- + 3 files changed, 40 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1631,6 +1631,18 @@ composite_setup(struct usb_gadget *gadge + struct usb_function *f = NULL; + u8 endp; + ++ if (w_length > USB_COMP_EP0_BUFSIZ) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ goto done; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); ++ w_length = USB_COMP_EP0_BUFSIZ; ++ } ++ } ++ + /* partial re-init of the response message; the function or the + * gadget might need to intercept e.g. a control-OUT completion + * when we delegate to it. +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -344,6 +344,19 @@ static int dbgp_setup(struct usb_gadget + void *data = NULL; + u16 len = 0; + ++ if (length > DBGP_REQ_LEN) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ return err; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(DBGP_REQ_LEN); ++ length = DBGP_REQ_LEN; ++ } ++ } ++ ++ + if (request == USB_REQ_GET_DESCRIPTOR) { + switch (value>>8) { + case USB_DT_DEVICE: +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -113,6 +113,8 @@ enum ep0_state { + /* enough for the whole queue: most events invalidate others */ + #define N_EVENT 5 + ++#define RBUF_SIZE 256 ++ + struct dev_data { + spinlock_t lock; + atomic_t count; +@@ -147,7 +149,7 @@ struct dev_data { + struct dentry *dentry; + + /* except this scratch i/o buffer for ep0 */ +- u8 rbuf [256]; ++ u8 rbuf[RBUF_SIZE]; + }; + + static inline void get_dev (struct dev_data *data) +@@ -1336,6 +1338,18 @@ gadgetfs_setup (struct usb_gadget *gadge + u16 w_value = le16_to_cpu(ctrl->wValue); + u16 w_length = le16_to_cpu(ctrl->wLength); + ++ if (w_length > RBUF_SIZE) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ return value; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(RBUF_SIZE); ++ w_length = RBUF_SIZE; ++ } ++ } ++ + spin_lock (&dev->lock); + dev->setup_abort = 0; + if (dev->state == STATE_DEV_UNCONNECTED) { diff --git a/queue-4.9/usb-gadget-zero-allocate-endpoint-0-buffers.patch b/queue-4.9/usb-gadget-zero-allocate-endpoint-0-buffers.patch new file mode 100644 index 00000000000..c3d09b7b71b --- /dev/null +++ b/queue-4.9/usb-gadget-zero-allocate-endpoint-0-buffers.patch @@ -0,0 +1,43 @@ +From 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Dec 2021 19:02:15 +0100 +Subject: USB: gadget: zero allocate endpoint 0 buffers + +From: Greg Kroah-Hartman + +commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream. + +Under some conditions, USB gadget devices can show allocated buffer +contents to a host. Fix this up by zero-allocating them so that any +extra data will all just be zeros. + +Reported-by: Szymon Heidrich +Tested-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 2 +- + drivers/usb/gadget/legacy/dbgp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2183,7 +2183,7 @@ int composite_dev_prepare(struct usb_com + if (!cdev->req) + return -ENOMEM; + +- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); ++ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); + if (!cdev->req->buf) + goto fail; + +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -136,7 +136,7 @@ static int dbgp_enable_ep_req(struct usb + goto fail_1; + } + +- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); ++ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); + if (!req->buf) { + err = -ENOMEM; + stp = 2;