From: Greg Kroah-Hartman Date: Mon, 26 Feb 2024 13:10:32 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.308~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba611abd4b6fbc0a2c05133a3a2f4a07e52369af;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch l2tp-pass-correct-message-length-to-ip6_append_data.patch usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch --- diff --git a/queue-4.19/arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch b/queue-4.19/arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch new file mode 100644 index 00000000000..90d6cd4c4cb --- /dev/null +++ b/queue-4.19/arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch @@ -0,0 +1,37 @@ +From fdf87a0dc26d0550c60edc911cda42f9afec3557 Mon Sep 17 00:00:00 2001 +From: Nikita Shubin +Date: Mon, 5 Feb 2024 11:23:34 +0100 +Subject: ARM: ep93xx: Add terminator to gpiod_lookup_table + +From: Nikita Shubin + +commit fdf87a0dc26d0550c60edc911cda42f9afec3557 upstream. + +Without the terminator, if a con_id is passed to gpio_find() that +does not exist in the lookup table the function will not stop looping +correctly, and eventually cause an oops. + +Cc: stable@vger.kernel.org +Fixes: b2e63555592f ("i2c: gpio: Convert to use descriptors") +Reported-by: Andy Shevchenko +Signed-off-by: Nikita Shubin +Reviewed-by: Linus Walleij +Acked-by: Alexander Sverdlin +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20240205102337.439002-1-alexander.sverdlin@gmail.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-ep93xx/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-ep93xx/core.c ++++ b/arch/arm/mach-ep93xx/core.c +@@ -330,6 +330,7 @@ static struct gpiod_lookup_table ep93xx_ + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), + GPIO_LOOKUP_IDX("G", 0, NULL, 1, + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), ++ { } + }, + }; + diff --git a/queue-4.19/l2tp-pass-correct-message-length-to-ip6_append_data.patch b/queue-4.19/l2tp-pass-correct-message-length-to-ip6_append_data.patch new file mode 100644 index 00000000000..eef235fbe5b --- /dev/null +++ b/queue-4.19/l2tp-pass-correct-message-length-to-ip6_append_data.patch @@ -0,0 +1,50 @@ +From 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 Mon Sep 17 00:00:00 2001 +From: Tom Parkin +Date: Tue, 20 Feb 2024 12:21:56 +0000 +Subject: l2tp: pass correct message length to ip6_append_data + +From: Tom Parkin + +commit 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 upstream. + +l2tp_ip6_sendmsg needs to avoid accounting for the transport header +twice when splicing more data into an already partially-occupied skbuff. + +To manage this, we check whether the skbuff contains data using +skb_queue_empty when deciding how much data to append using +ip6_append_data. + +However, the code which performed the calculation was incorrect: + + ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; + +...due to C operator precedence, this ends up setting ulen to +transhdrlen for messages with a non-zero length, which results in +corrupted packets on the wire. + +Add parentheses to correct the calculation in line with the original +intent. + +Fixes: 9d4c75800f61 ("ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()") +Cc: David Howells +Cc: stable@vger.kernel.org +Signed-off-by: Tom Parkin +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240220122156.43131-1-tparkin@katalix.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ip6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -648,7 +648,7 @@ static int l2tp_ip6_sendmsg(struct sock + + back_from_confirm: + lock_sock(sk); +- ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ++ ulen = len + (skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0); + err = ip6_append_data(sk, ip_generic_getfrag, msg, + ulen, transhdrlen, &ipc6, + &fl6, (struct rt6_info *)dst, diff --git a/queue-4.19/series b/queue-4.19/series index 57f8c7da092..4061467b040 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -28,3 +28,7 @@ ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch mm-memcontrol-switch-to-rcu-protection-in-drain_all_stock.patch dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch +l2tp-pass-correct-message-length-to-ip6_append_data.patch +arm-ep93xx-add-terminator-to-gpiod_lookup_table.patch +usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch +usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch diff --git a/queue-4.19/usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch b/queue-4.19/usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch new file mode 100644 index 00000000000..2ec00131331 --- /dev/null +++ b/queue-4.19/usb-gadget-ncm-avoid-dropping-datagrams-of-properly-parsed-ntbs.patch @@ -0,0 +1,88 @@ +From 76c51146820c5dac629f21deafab0a7039bc3ccd Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Mon, 5 Feb 2024 13:16:50 +0530 +Subject: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krishna Kurapati + +commit 76c51146820c5dac629f21deafab0a7039bc3ccd upstream. + +It is observed sometimes when tethering is used over NCM with Windows 11 +as host, at some instances, the gadget_giveback has one byte appended at +the end of a proper NTB. When the NTB is parsed, unwrap call looks for +any leftover bytes in SKB provided by u_ether and if there are any pending +bytes, it treats them as a separate NTB and parses it. But in case the +second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that +were parsed properly in the first NTB and saved in rx_list are dropped. + +Adding a few custom traces showed the following: +[002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: +req 000000003868811a length 1025/16384 zsI ==> 0 +[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 +[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 +[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 +[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 +[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 +[002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames + +In this case, the giveback is of 1025 bytes and block length is 1024. +The rest 1 byte (which is 0x00) won't be parsed resulting in drop of +all datagrams in rx_list. + +Same is case with packets of size 2048: +[002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: +req 0000000011dfd96e length 2049/16384 zsI ==> 0 +[002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 +[002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 + +Lecroy shows one byte coming in extra confirming that the byte is coming +in from PC: + + Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) + - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) + --- Packet 4063861 + Data(1024 bytes) + Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) + --- Packet 4063863 + Data(1 byte) + Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) + +According to Windows driver, no ZLP is needed if wBlockLength is non-zero, +because the non-zero wBlockLength has already told the function side the +size of transfer to be expected. However, there are in-market NCM devices +that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. +To deal with such devices, it pads an extra 0 at end so the transfer is no +longer multiple of wMaxPacketSize. + +Cc: +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Signed-off-by: Krishna Kurapati +Reviewed-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20240205074650.200304-1-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -1349,7 +1349,15 @@ parse_ntb: + "Parsed NTB with %d frames\n", dgram_counter); + + to_process -= block_len; +- if (to_process != 0) { ++ ++ /* ++ * Windows NCM driver avoids USB ZLPs by adding a 1-byte ++ * zero pad as needed. ++ */ ++ if (to_process == 1 && ++ (*(unsigned char *)(ntb_ptr + block_len) == 0x00)) { ++ to_process--; ++ } else if (to_process > 0) { + ntb_ptr = (unsigned char *)(ntb_ptr + block_len); + goto parse_ntb; + } diff --git a/queue-4.19/usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch b/queue-4.19/usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch new file mode 100644 index 00000000000..9d609e4a41a --- /dev/null +++ b/queue-4.19/usb-roles-don-t-get-set_role-when-usb_role_switch-is-unregistered.patch @@ -0,0 +1,76 @@ +From b787a3e781759026a6212736ef8e52cf83d1821a Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 29 Jan 2024 17:37:39 +0800 +Subject: usb: roles: don't get/set_role() when usb_role_switch is unregistered + +From: Xu Yang + +commit b787a3e781759026a6212736ef8e52cf83d1821a upstream. + +There is a possibility that usb_role_switch device is unregistered before +the user put usb_role_switch. In this case, the user may still want to +get/set_role() since the user can't sense the changes of usb_role_switch. + +This will add a flag to show if usb_role_switch is already registered and +avoid unwanted behaviors. + +Fixes: fde0aa6c175a ("usb: common: Small class for USB role switches") +cc: stable@vger.kernel.org +Signed-off-by: Xu Yang +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240129093739.2371530-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/roles/class.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -19,6 +19,7 @@ struct usb_role_switch { + struct device dev; + struct mutex lock; /* device lock*/ + enum usb_role role; ++ bool registered; + + /* From descriptor */ + struct device *usb2_port; +@@ -45,6 +46,9 @@ int usb_role_switch_set_role(struct usb_ + if (IS_ERR_OR_NULL(sw)) + return 0; + ++ if (!sw->registered) ++ return -EOPNOTSUPP; ++ + mutex_lock(&sw->lock); + + ret = sw->set(sw->dev.parent, role); +@@ -68,7 +72,7 @@ enum usb_role usb_role_switch_get_role(s + { + enum usb_role role; + +- if (IS_ERR_OR_NULL(sw)) ++ if (IS_ERR_OR_NULL(sw) || !sw->registered) + return USB_ROLE_NONE; + + mutex_lock(&sw->lock); +@@ -276,6 +280,8 @@ usb_role_switch_register(struct device * + return ERR_PTR(ret); + } + ++ sw->registered = true; ++ + /* TODO: Symlinks for the host port and the device controller. */ + + return sw; +@@ -290,8 +296,10 @@ EXPORT_SYMBOL_GPL(usb_role_switch_regist + */ + void usb_role_switch_unregister(struct usb_role_switch *sw) + { +- if (!IS_ERR_OR_NULL(sw)) ++ if (!IS_ERR_OR_NULL(sw)) { ++ sw->registered = false; + device_unregister(&sw->dev); ++ } + } + EXPORT_SYMBOL_GPL(usb_role_switch_unregister); +