From: Greg Kroah-Hartman Date: Mon, 31 Aug 2020 12:30:59 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.235~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8cfd702abf4ab0edc4b36153522649a3bad0ca0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: overflow.h-add-allocation-size-calculation-helpers.patch usb-gadget-f_ncm-add-bounds-checks-to-ncm_unwrap_ntb.patch usb-gadget-u_f-add-overflow-checks-to-vla-macros.patch usb-gadget-u_f-unbreak-offset-calculation-in-vlas.patch usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch usb-quirks-add-no-lpm-quirk-for-another-raydium-touchscreen.patch usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch usb-uas-add-quirk-for-pny-pro-elite.patch usb-yurex-fix-bad-gfp-argument.patch --- diff --git a/queue-4.9/overflow.h-add-allocation-size-calculation-helpers.patch b/queue-4.9/overflow.h-add-allocation-size-calculation-helpers.patch new file mode 100644 index 00000000000..d73ddd55278 --- /dev/null +++ b/queue-4.9/overflow.h-add-allocation-size-calculation-helpers.patch @@ -0,0 +1,141 @@ +From 610b15c50e86eb1e4b77274fabcaea29ac72d6a8 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 7 May 2018 16:47:02 -0700 +Subject: overflow.h: Add allocation size calculation helpers + +From: Kees Cook + +commit 610b15c50e86eb1e4b77274fabcaea29ac72d6a8 upstream. + +In preparation for replacing unchecked overflows for memory allocations, +this creates helpers for the 3 most common calculations: + +array_size(a, b): 2-dimensional array +array3_size(a, b, c): 3-dimensional array +struct_size(ptr, member, n): struct followed by n-many trailing members + +Each of these return SIZE_MAX on overflow instead of wrapping around. + +(Additionally renames a variable named "array_size" to avoid future +collision.) + +Co-developed-by: Matthew Wilcox +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-table.c | 10 +++--- + include/linux/overflow.h | 73 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -510,14 +510,14 @@ static int adjoin(struct dm_table *table + * On the other hand, dm-switch needs to process bulk data using messages and + * excessive use of GFP_NOIO could cause trouble. + */ +-static char **realloc_argv(unsigned *array_size, char **old_argv) ++static char **realloc_argv(unsigned *size, char **old_argv) + { + char **argv; + unsigned new_size; + gfp_t gfp; + +- if (*array_size) { +- new_size = *array_size * 2; ++ if (*size) { ++ new_size = *size * 2; + gfp = GFP_KERNEL; + } else { + new_size = 8; +@@ -525,8 +525,8 @@ static char **realloc_argv(unsigned *arr + } + argv = kmalloc(new_size * sizeof(*argv), gfp); + if (argv) { +- memcpy(argv, old_argv, *array_size * sizeof(*argv)); +- *array_size = new_size; ++ memcpy(argv, old_argv, *size * sizeof(*argv)); ++ *size = new_size; + } + + kfree(old_argv); +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -233,4 +233,77 @@ + (*_d >> _to_shift) != _a); \ + }) + ++/** ++ * array_size() - Calculate size of 2-dimensional array. ++ * ++ * @a: dimension one ++ * @b: dimension two ++ * ++ * Calculates size of 2-dimensional array: @a * @b. ++ * ++ * Returns: number of bytes needed to represent the array or SIZE_MAX on ++ * overflow. ++ */ ++static inline __must_check size_t array_size(size_t a, size_t b) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(a, b, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++/** ++ * array3_size() - Calculate size of 3-dimensional array. ++ * ++ * @a: dimension one ++ * @b: dimension two ++ * @c: dimension three ++ * ++ * Calculates size of 3-dimensional array: @a * @b * @c. ++ * ++ * Returns: number of bytes needed to represent the array or SIZE_MAX on ++ * overflow. ++ */ ++static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(a, b, &bytes)) ++ return SIZE_MAX; ++ if (check_mul_overflow(bytes, c, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(n, size, &bytes)) ++ return SIZE_MAX; ++ if (check_add_overflow(bytes, c, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++/** ++ * struct_size() - Calculate size of structure with trailing array. ++ * @p: Pointer to the structure. ++ * @member: Name of the array member. ++ * @n: Number of elements in the array. ++ * ++ * Calculates size of memory needed for structure @p followed by an ++ * array of @n @member elements. ++ * ++ * Return: number of bytes needed or SIZE_MAX on overflow. ++ */ ++#define struct_size(p, member, n) \ ++ __ab_c_size(n, \ ++ sizeof(*(p)->member) + __must_be_array((p)->member),\ ++ sizeof(*(p))) ++ + #endif /* __LINUX_OVERFLOW_H */ diff --git a/queue-4.9/series b/queue-4.9/series index 71203d8aa22..5e6bd7235de 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -63,3 +63,13 @@ xen-uses-irqdesc-irq_data_common-handler_data-to-store-a-per-interrupt-xen-data- xhci-do-warm-reset-when-both-cas-and-xdev_resume-are-set.patch pm-sleep-core-fix-the-handling-of-pending-runtime-resume-requests.patch device-property-fix-the-secondary-firmware-node-handling-in-set_primary_fwnode.patch +usb-yurex-fix-bad-gfp-argument.patch +usb-uas-add-quirk-for-pny-pro-elite.patch +usb-quirks-add-no-lpm-quirk-for-another-raydium-touchscreen.patch +usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch +usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch +overflow.h-add-allocation-size-calculation-helpers.patch +usb-gadget-u_f-add-overflow-checks-to-vla-macros.patch +usb-gadget-f_ncm-add-bounds-checks-to-ncm_unwrap_ntb.patch +usb-gadget-u_f-unbreak-offset-calculation-in-vlas.patch +usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch diff --git a/queue-4.9/usb-gadget-f_ncm-add-bounds-checks-to-ncm_unwrap_ntb.patch b/queue-4.9/usb-gadget-f_ncm-add-bounds-checks-to-ncm_unwrap_ntb.patch new file mode 100644 index 00000000000..77d3f154321 --- /dev/null +++ b/queue-4.9/usb-gadget-f_ncm-add-bounds-checks-to-ncm_unwrap_ntb.patch @@ -0,0 +1,178 @@ +From 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Mon Sep 17 00:00:00 2001 +From: Brooke Basile +Date: Tue, 25 Aug 2020 09:07:27 -0400 +Subject: USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() + +From: Brooke Basile + +commit 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 upstream. + +Some values extracted by ncm_unwrap_ntb() could possibly lead to several +different out of bounds reads of memory. Specifically the values passed +to netdev_alloc_skb_ip_align() need to be checked so that memory is not +overflowed. + +Resolve this by applying bounds checking to a number of different +indexes and lengths of the structure parsing logic. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Brooke Basile +Acked-by: Felipe Balbi +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_ncm.c | 81 ++++++++++++++++++++++++++++++------ + 1 file changed, 69 insertions(+), 12 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1209,12 +1209,15 @@ static int ncm_unwrap_ntb(struct gether + int ndp_index; + unsigned dg_len, dg_len2; + unsigned ndp_len; ++ unsigned block_len; + struct sk_buff *skb2; + int ret = -EINVAL; +- unsigned max_size = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize); ++ unsigned ntb_max = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize); ++ unsigned frame_max = le16_to_cpu(ecm_desc.wMaxSegmentSize); + const struct ndp_parser_opts *opts = ncm->parser_opts; + unsigned crc_len = ncm->is_crc ? sizeof(uint32_t) : 0; + int dgram_counter; ++ bool ndp_after_header; + + /* dwSignature */ + if (get_unaligned_le32(tmp) != opts->nth_sign) { +@@ -1233,25 +1236,37 @@ static int ncm_unwrap_ntb(struct gether + } + tmp++; /* skip wSequence */ + ++ block_len = get_ncm(&tmp, opts->block_length); + /* (d)wBlockLength */ +- if (get_ncm(&tmp, opts->block_length) > max_size) { ++ if (block_len > ntb_max) { + INFO(port->func.config->cdev, "OUT size exceeded\n"); + goto err; + } + + ndp_index = get_ncm(&tmp, opts->ndp_index); ++ ndp_after_header = false; + + /* Run through all the NDP's in the NTB */ + do { +- /* NCM 3.2 */ +- if (((ndp_index % 4) != 0) && +- (ndp_index < opts->nth_size)) { ++ /* ++ * NCM 3.2 ++ * dwNdpIndex ++ */ ++ if (((ndp_index % 4) != 0) || ++ (ndp_index < opts->nth_size) || ++ (ndp_index > (block_len - ++ opts->ndp_size))) { + INFO(port->func.config->cdev, "Bad index: %#X\n", + ndp_index); + goto err; + } ++ if (ndp_index == opts->nth_size) ++ ndp_after_header = true; + +- /* walk through NDP */ ++ /* ++ * walk through NDP ++ * dwSignature ++ */ + tmp = (void *)(skb->data + ndp_index); + if (get_unaligned_le32(tmp) != ncm->ndp_sign) { + INFO(port->func.config->cdev, "Wrong NDP SIGN\n"); +@@ -1262,14 +1277,15 @@ static int ncm_unwrap_ntb(struct gether + ndp_len = get_unaligned_le16(tmp++); + /* + * NCM 3.3.1 ++ * wLength + * entry is 2 items + * item size is 16/32 bits, opts->dgram_item_len * 2 bytes + * minimal: struct usb_cdc_ncm_ndpX + normal entry + zero entry + * Each entry is a dgram index and a dgram length. + */ + if ((ndp_len < opts->ndp_size +- + 2 * 2 * (opts->dgram_item_len * 2)) +- || (ndp_len % opts->ndplen_align != 0)) { ++ + 2 * 2 * (opts->dgram_item_len * 2)) || ++ (ndp_len % opts->ndplen_align != 0)) { + INFO(port->func.config->cdev, "Bad NDP length: %#X\n", + ndp_len); + goto err; +@@ -1286,8 +1302,21 @@ static int ncm_unwrap_ntb(struct gether + + do { + index = index2; ++ /* wDatagramIndex[0] */ ++ if ((index < opts->nth_size) || ++ (index > block_len - opts->dpe_size)) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index); ++ goto err; ++ } ++ + dg_len = dg_len2; +- if (dg_len < 14 + crc_len) { /* ethernet hdr + crc */ ++ /* ++ * wDatagramLength[0] ++ * ethernet hdr + crc or larger than max frame size ++ */ ++ if ((dg_len < 14 + crc_len) || ++ (dg_len > frame_max)) { + INFO(port->func.config->cdev, + "Bad dgram length: %#X\n", dg_len); + goto err; +@@ -1311,6 +1340,37 @@ static int ncm_unwrap_ntb(struct gether + index2 = get_ncm(&tmp, opts->dgram_item_len); + dg_len2 = get_ncm(&tmp, opts->dgram_item_len); + ++ if (index2 == 0 || dg_len2 == 0) ++ break; ++ ++ /* wDatagramIndex[1] */ ++ if (ndp_after_header) { ++ if (index2 < opts->nth_size + opts->ndp_size) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index2); ++ goto err; ++ } ++ } else { ++ if (index2 < opts->nth_size + opts->dpe_size) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index2); ++ goto err; ++ } ++ } ++ if (index2 > block_len - opts->dpe_size) { ++ INFO(port->func.config->cdev, ++ "Bad index: %#X\n", index2); ++ goto err; ++ } ++ ++ /* wDatagramLength[1] */ ++ if ((dg_len2 < 14 + crc_len) || ++ (dg_len2 > frame_max)) { ++ INFO(port->func.config->cdev, ++ "Bad dgram length: %#X\n", dg_len); ++ goto err; ++ } ++ + /* + * Copy the data into a new skb. + * This ensures the truesize is correct +@@ -1327,9 +1387,6 @@ static int ncm_unwrap_ntb(struct gether + ndp_len -= 2 * (opts->dgram_item_len * 2); + + dgram_counter++; +- +- if (index2 == 0 || dg_len2 == 0) +- break; + } while (ndp_len > 2 * (opts->dgram_item_len * 2)); + } while (ndp_index); + diff --git a/queue-4.9/usb-gadget-u_f-add-overflow-checks-to-vla-macros.patch b/queue-4.9/usb-gadget-u_f-add-overflow-checks-to-vla-macros.patch new file mode 100644 index 00000000000..b195dafc09b --- /dev/null +++ b/queue-4.9/usb-gadget-u_f-add-overflow-checks-to-vla-macros.patch @@ -0,0 +1,85 @@ +From b1cd1b65afba95971fa457dfdb2c941c60d38c5b Mon Sep 17 00:00:00 2001 +From: Brooke Basile +Date: Tue, 25 Aug 2020 09:05:08 -0400 +Subject: USB: gadget: u_f: add overflow checks to VLA macros + +From: Brooke Basile + +commit b1cd1b65afba95971fa457dfdb2c941c60d38c5b upstream. + +size can potentially hold an overflowed value if its assigned expression +is left unchecked, leading to a smaller than needed allocation when +vla_group_size() is used by callers to allocate memory. +To fix this, add a test for saturation before declaring variables and an +overflow check to (n) * sizeof(type). +If the expression results in overflow, vla_group_size() will return SIZE_MAX. + +Reported-by: Ilja Van Sprundel +Suggested-by: Kees Cook +Signed-off-by: Brooke Basile +Acked-by: Felipe Balbi +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/u_f.h | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +--- a/drivers/usb/gadget/u_f.h ++++ b/drivers/usb/gadget/u_f.h +@@ -17,6 +17,7 @@ + #define __U_F_H__ + + #include ++#include + + /* Variable Length Array Macros **********************************************/ + #define vla_group(groupname) size_t groupname##__next = 0 +@@ -24,21 +25,36 @@ + + #define vla_item(groupname, type, name, n) \ + size_t groupname##_##name##__offset = ({ \ +- size_t align_mask = __alignof__(type) - 1; \ +- size_t offset = (groupname##__next + align_mask) & ~align_mask;\ +- size_t size = (n) * sizeof(type); \ +- groupname##__next = offset + size; \ ++ size_t offset = 0; \ ++ if (groupname##__next != SIZE_MAX) { \ ++ size_t align_mask = __alignof__(type) - 1; \ ++ size_t offset = (groupname##__next + align_mask) \ ++ & ~align_mask; \ ++ size_t size = array_size(n, sizeof(type)); \ ++ if (check_add_overflow(offset, size, \ ++ &groupname##__next)) { \ ++ groupname##__next = SIZE_MAX; \ ++ offset = 0; \ ++ } \ ++ } \ + offset; \ + }) + + #define vla_item_with_sz(groupname, type, name, n) \ +- size_t groupname##_##name##__sz = (n) * sizeof(type); \ +- size_t groupname##_##name##__offset = ({ \ +- size_t align_mask = __alignof__(type) - 1; \ +- size_t offset = (groupname##__next + align_mask) & ~align_mask;\ +- size_t size = groupname##_##name##__sz; \ +- groupname##__next = offset + size; \ +- offset; \ ++ size_t groupname##_##name##__sz = array_size(n, sizeof(type)); \ ++ size_t groupname##_##name##__offset = ({ \ ++ size_t offset = 0; \ ++ if (groupname##__next != SIZE_MAX) { \ ++ size_t align_mask = __alignof__(type) - 1; \ ++ size_t offset = (groupname##__next + align_mask) \ ++ & ~align_mask; \ ++ if (check_add_overflow(offset, groupname##_##name##__sz,\ ++ &groupname##__next)) { \ ++ groupname##__next = SIZE_MAX; \ ++ offset = 0; \ ++ } \ ++ } \ ++ offset; \ + }) + + #define vla_ptr(ptr, groupname, name) \ diff --git a/queue-4.9/usb-gadget-u_f-unbreak-offset-calculation-in-vlas.patch b/queue-4.9/usb-gadget-u_f-unbreak-offset-calculation-in-vlas.patch new file mode 100644 index 00000000000..d89e0f9b8af --- /dev/null +++ b/queue-4.9/usb-gadget-u_f-unbreak-offset-calculation-in-vlas.patch @@ -0,0 +1,51 @@ +From bfd08d06d978d0304eb6f7855b548aa2cd1c5486 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 26 Aug 2020 22:21:19 +0300 +Subject: USB: gadget: u_f: Unbreak offset calculation in VLAs + +From: Andy Shevchenko + +commit bfd08d06d978d0304eb6f7855b548aa2cd1c5486 upstream. + +Inadvertently the commit b1cd1b65afba ("USB: gadget: u_f: add overflow checks +to VLA macros") makes VLA macros to always return 0 due to different scope of +two variables of the same name. Obviously we need to have only one. + +Fixes: b1cd1b65afba ("USB: gadget: u_f: add overflow checks to VLA macros") +Reported-by: Marek Szyprowski +Tested-by: Marek Szyprowski +Signed-off-by: Andy Shevchenko +Cc: Brooke Basile +Cc: stable +Link: https://lore.kernel.org/r/20200826192119.56450-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/u_f.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/u_f.h ++++ b/drivers/usb/gadget/u_f.h +@@ -28,9 +28,9 @@ + size_t offset = 0; \ + if (groupname##__next != SIZE_MAX) { \ + size_t align_mask = __alignof__(type) - 1; \ +- size_t offset = (groupname##__next + align_mask) \ +- & ~align_mask; \ + size_t size = array_size(n, sizeof(type)); \ ++ offset = (groupname##__next + align_mask) & \ ++ ~align_mask; \ + if (check_add_overflow(offset, size, \ + &groupname##__next)) { \ + groupname##__next = SIZE_MAX; \ +@@ -46,8 +46,8 @@ + size_t offset = 0; \ + if (groupname##__next != SIZE_MAX) { \ + size_t align_mask = __alignof__(type) - 1; \ +- size_t offset = (groupname##__next + align_mask) \ +- & ~align_mask; \ ++ offset = (groupname##__next + align_mask) & \ ++ ~align_mask; \ + if (check_add_overflow(offset, groupname##_##name##__sz,\ + &groupname##__next)) { \ + groupname##__next = SIZE_MAX; \ diff --git a/queue-4.9/usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch b/queue-4.9/usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch new file mode 100644 index 00000000000..2690837cb0e --- /dev/null +++ b/queue-4.9/usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch @@ -0,0 +1,41 @@ +From 1d4169834628d18b2392a2da92b7fbf5e8e2ce89 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Wed, 26 Aug 2020 22:49:31 +0800 +Subject: usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe() + +From: Tang Bin + +commit 1d4169834628d18b2392a2da92b7fbf5e8e2ce89 upstream. + +If the function platform_get_irq() failed, the negative value +returned will not be detected here. So fix error handling in +exynos_ohci_probe(). And when get irq failed, the function +platform_get_irq() logs an error message, so remove redundant +message here. + +Fixes: 62194244cf87 ("USB: Add Samsung Exynos OHCI diver") +Signed-off-by: Zhang Shengju +Cc: stable +Signed-off-by: Tang Bin +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200826144931.1828-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-exynos.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ohci-exynos.c ++++ b/drivers/usb/host/ohci-exynos.c +@@ -166,9 +166,8 @@ skip_phy: + hcd->rsrc_len = resource_size(res); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "Failed to get IRQ\n"); +- err = -ENODEV; ++ if (irq < 0) { ++ err = irq; + goto fail_io; + } + diff --git a/queue-4.9/usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch b/queue-4.9/usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch new file mode 100644 index 00000000000..dd3d7e4534d --- /dev/null +++ b/queue-4.9/usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch @@ -0,0 +1,37 @@ +From 9aa37788e7ebb3f489fb4b71ce07adadd444264a Mon Sep 17 00:00:00 2001 +From: Cyril Roelandt +Date: Tue, 25 Aug 2020 23:22:31 +0200 +Subject: USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge + +From: Cyril Roelandt + +commit 9aa37788e7ebb3f489fb4b71ce07adadd444264a upstream. + +This device does not support UAS properly and a similar entry already +exists in drivers/usb/storage/unusual_uas.h. Without this patch, +storage_probe() defers the handling of this device to UAS, which cannot +handle it either. + +Tested-by: Brice Goglin +Fixes: bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron SATA enclosure") +Acked-by: Alan Stern +CC: +Signed-off-by: Cyril Roelandt +Link: https://lore.kernel.org/r/20200825212231.46309-1-tipecaml@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2347,7 +2347,7 @@ UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_BROKEN_FUA ), ++ US_FL_BROKEN_FUA | US_FL_IGNORE_UAS ), + + /* Reported by Andrey Rahmatullin */ + UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, diff --git a/queue-4.9/usb-quirks-add-no-lpm-quirk-for-another-raydium-touchscreen.patch b/queue-4.9/usb-quirks-add-no-lpm-quirk-for-another-raydium-touchscreen.patch new file mode 100644 index 00000000000..afa3de90045 --- /dev/null +++ b/queue-4.9/usb-quirks-add-no-lpm-quirk-for-another-raydium-touchscreen.patch @@ -0,0 +1,38 @@ +From 5967116e8358899ebaa22702d09b0af57fef23e1 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 31 Jul 2020 13:16:20 +0800 +Subject: USB: quirks: Add no-lpm quirk for another Raydium touchscreen + +From: Kai-Heng Feng + +commit 5967116e8358899ebaa22702d09b0af57fef23e1 upstream. + +There's another Raydium touchscreen needs the no-lpm quirk: +[ 1.339149] usb 1-9: New USB device found, idVendor=2386, idProduct=350e, bcdDevice= 0.00 +[ 1.339150] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0 +[ 1.339151] usb 1-9: Product: Raydium Touch System +[ 1.339152] usb 1-9: Manufacturer: Raydium Corporation +... +[ 6.450497] usb 1-9: can't set config #1, error -110 + +BugLink: https://bugs.launchpad.net/bugs/1889446 +Signed-off-by: Kai-Heng Feng +Cc: stable +Link: https://lore.kernel.org/r/20200731051622.28643-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -299,6 +299,8 @@ static const struct usb_device_id usb_qu + + { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM }, + ++ { USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* DJI CineSSD */ + { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM }, + diff --git a/queue-4.9/usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch b/queue-4.9/usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch new file mode 100644 index 00000000000..8212e473add --- /dev/null +++ b/queue-4.9/usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch @@ -0,0 +1,42 @@ +From 20934c0de13b49a072fb1e0ca79fe0fe0e40eae5 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 26 Aug 2020 10:32:29 -0400 +Subject: usb: storage: Add unusual_uas entry for Sony PSZ drives +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alan Stern + +commit 20934c0de13b49a072fb1e0ca79fe0fe0e40eae5 upstream. + +The PSZ-HA* family of USB disk drives from Sony can't handle the +REPORT OPCODES command when using the UAS protocol. This patch adds +an appropriate quirks entry. + +Reported-and-tested-by: Till Dörges +Signed-off-by: Alan Stern +CC: +Link: https://lore.kernel.org/r/20200826143229.GB400430@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -41,6 +41,13 @@ + * and don't forget to CC: the USB development list + */ + ++/* Reported-by: Till Dörges */ ++UNUSUAL_DEV(0x054c, 0x087d, 0x0000, 0x9999, ++ "Sony", ++ "PSZ-HA*", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_REPORT_OPCODES), ++ + /* Reported-by: Julian Groß */ + UNUSUAL_DEV(0x059f, 0x105f, 0x0000, 0x9999, + "LaCie", diff --git a/queue-4.9/usb-uas-add-quirk-for-pny-pro-elite.patch b/queue-4.9/usb-uas-add-quirk-for-pny-pro-elite.patch new file mode 100644 index 00000000000..c7f890c3ab2 --- /dev/null +++ b/queue-4.9/usb-uas-add-quirk-for-pny-pro-elite.patch @@ -0,0 +1,39 @@ +From 9a469bc9f32dd33c7aac5744669d21a023a719cd Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Tue, 18 Aug 2020 19:27:47 -0700 +Subject: usb: uas: Add quirk for PNY Pro Elite + +From: Thinh Nguyen + +commit 9a469bc9f32dd33c7aac5744669d21a023a719cd upstream. + +PNY Pro Elite USB 3.1 Gen 2 device (SSD) doesn't respond to ATA_12 +pass-through command (i.e. it just hangs). If it doesn't support this +command, it should respond properly to the host. Let's just add a quirk +to be able to move forward with other operations. + +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/2b0585228b003eedcc82db84697b31477df152e0.1597803605.git.thinhn@synopsys.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -156,6 +156,13 @@ UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA), + ++/* Reported-by: Thinh Nguyen */ ++UNUSUAL_DEV(0x154b, 0xf00d, 0x0000, 0x9999, ++ "PNY", ++ "Pro Elite SSD", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ + /* Reported-by: Hans de Goede */ + UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, + "VIA", diff --git a/queue-4.9/usb-yurex-fix-bad-gfp-argument.patch b/queue-4.9/usb-yurex-fix-bad-gfp-argument.patch new file mode 100644 index 00000000000..7638d9da373 --- /dev/null +++ b/queue-4.9/usb-yurex-fix-bad-gfp-argument.patch @@ -0,0 +1,72 @@ +From f176ede3a3bde5b398a6777a7f9ff091baa2d3ff Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Aug 2020 14:29:54 -0400 +Subject: USB: yurex: Fix bad gfp argument + +From: Alan Stern + +commit f176ede3a3bde5b398a6777a7f9ff091baa2d3ff upstream. + +The syzbot fuzzer identified a bug in the yurex driver: It passes +GFP_KERNEL as a memory-allocation flag to usb_submit_urb() at a time +when its state is TASK_INTERRUPTIBLE, not TASK_RUNNING: + +do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000370c7c68>] prepare_to_wait+0xb1/0x2a0 kernel/sched/wait.c:247 +WARNING: CPU: 1 PID: 340 at kernel/sched/core.c:7253 __might_sleep+0x135/0x190 +kernel/sched/core.c:7253 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 1 PID: 340 Comm: syz-executor677 Not tainted 5.8.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google +01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + panic+0x2aa/0x6e1 kernel/panic.c:231 + __warn.cold+0x20/0x50 kernel/panic.c:600 + report_bug+0x1bd/0x210 lib/bug.c:198 + handle_bug+0x41/0x80 arch/x86/kernel/traps.c:234 + exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 + asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 +RIP: 0010:__might_sleep+0x135/0x190 kernel/sched/core.c:7253 +Code: 65 48 8b 1c 25 40 ef 01 00 48 8d 7b 10 48 89 fe 48 c1 ee 03 80 3c 06 00 75 +2b 48 8b 73 10 48 c7 c7 e0 9e 06 86 e8 ed 12 f6 ff <0f> 0b e9 46 ff ff ff e8 1f +b2 4b 00 e9 29 ff ff ff e8 15 b2 4b 00 +RSP: 0018:ffff8881cdb77a28 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff8881c6458000 RCX: 0000000000000000 +RDX: ffff8881c6458000 RSI: ffffffff8129ec93 RDI: ffffed1039b6ef37 +RBP: ffffffff86fdade2 R08: 0000000000000001 R09: ffff8881db32f54f +R10: 0000000000000000 R11: 0000000030343354 R12: 00000000000001f2 +R13: 0000000000000000 R14: 0000000000000068 R15: ffffffff83c1b1aa + slab_pre_alloc_hook.constprop.0+0xea/0x200 mm/slab.h:498 + slab_alloc_node mm/slub.c:2816 [inline] + slab_alloc mm/slub.c:2900 [inline] + kmem_cache_alloc_trace+0x46/0x220 mm/slub.c:2917 + kmalloc include/linux/slab.h:554 [inline] + dummy_urb_enqueue+0x7a/0x880 drivers/usb/gadget/udc/dummy_hcd.c:1251 + usb_hcd_submit_urb+0x2b2/0x22d0 drivers/usb/core/hcd.c:1547 + usb_submit_urb+0xb4e/0x13e0 drivers/usb/core/urb.c:570 + yurex_write+0x3ea/0x820 drivers/usb/misc/yurex.c:495 + +This patch changes the call to use GFP_ATOMIC instead of GFP_KERNEL. + +Reported-and-tested-by: syzbot+c2c3302f9c601a4b1be2@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Link: https://lore.kernel.org/r/20200810182954.GB307778@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/yurex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -502,7 +502,7 @@ static ssize_t yurex_write(struct file * + prepare_to_wait(&dev->waitq, &wait, TASK_INTERRUPTIBLE); + dev_dbg(&dev->interface->dev, "%s - submit %c\n", __func__, + dev->cntl_buffer[0]); +- retval = usb_submit_urb(dev->cntl_urb, GFP_KERNEL); ++ retval = usb_submit_urb(dev->cntl_urb, GFP_ATOMIC); + if (retval >= 0) + timeout = schedule_timeout(YUREX_WRITE_TIMEOUT); + finish_wait(&dev->waitq, &wait);