From: Greg Kroah-Hartman Date: Mon, 14 Oct 2019 14:22:25 +0000 (+0200) Subject: 5.3-stable patches X-Git-Tag: v4.4.197~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc47890775b22446e96a811d955e67941c2040b8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.3-stable patches added patches: mei-avoid-fw-version-request-on-ibex-peak-and-earlier.patch mei-me-add-comet-point-lake-lp-device-ids.patch serial-uartlite-fix-exit-path-null-pointer.patch serial-uartps-fix-uartps_major-handling.patch usb-adutux-fix-null-derefs-on-disconnect.patch usb-adutux-fix-use-after-free-on-disconnect.patch usb-adutux-fix-use-after-free-on-release.patch usb-chaoskey-fix-use-after-free-on-release.patch usb-dummy-hcd-fix-power-budget-for-superspeed-mode.patch usb-iowarrior-fix-use-after-free-after-driver-unbind.patch usb-iowarrior-fix-use-after-free-on-disconnect.patch usb-iowarrior-fix-use-after-free-on-release.patch usb-ldusb-fix-null-derefs-on-driver-unbind.patch usb-legousbtower-fix-deadlock-on-disconnect.patch usb-legousbtower-fix-open-after-failed-reset-request.patch usb-legousbtower-fix-potential-null-deref-on-disconnect.patch usb-legousbtower-fix-slab-info-leak-at-probe.patch usb-legousbtower-fix-use-after-free-on-release.patch usb-microtek-fix-info-leak-at-probe.patch usb-renesas_usbhs-gadget-do-not-discard-queues-in-usb_ep_set_-halt-wedge.patch usb-renesas_usbhs-gadget-fix-usb_ep_set_-halt-wedge-behavior.patch usb-serial-fix-runtime-pm-after-driver-unbind.patch usb-serial-ftdi_sio-add-device-ids-for-sienna-and-echelon-pl-20.patch usb-serial-keyspan-fix-null-derefs-on-open-and-write.patch usb-serial-option-add-support-for-cinterion-cls8-devices.patch usb-serial-option-add-telit-fn980-compositions.patch usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-in-tcpm_fw_get_caps.patch usb-typec-ucsi-ccg-remove-run_isr-flag.patch usb-typec-ucsi-displayport-fix-for-the-mode-entering-routine.patch usb-usb-skeleton-fix-null-deref-on-disconnect.patch usb-usb-skeleton-fix-runtime-pm-after-driver-unbind.patch usb-usblcd-fix-i-o-after-disconnect.patch usb-usblp-fix-runtime-pm-after-driver-unbind.patch usb-xhci-wait-for-cnr-controller-not-ready-bit-in-xhci-resume.patch xhci-check-all-endpoints-for-lpm-timeout.patch xhci-fix-false-warning-message-about-wrong-bounce-buffer-write-length.patch xhci-fix-null-pointer-dereference-in-xhci_clear_tt_buffer_complete.patch xhci-fix-usb-3.1-capability-detection-on-early-xhci-1.1-spec-based-hosts.patch xhci-increase-sts_save-timeout-in-xhci_suspend.patch xhci-prevent-deadlock-when-xhci-adapter-breaks-during-init.patch xhci-prevent-device-initiated-u1-u2-link-pm-if-exit-latency-is-too-long.patch --- diff --git a/queue-5.3/mei-avoid-fw-version-request-on-ibex-peak-and-earlier.patch b/queue-5.3/mei-avoid-fw-version-request-on-ibex-peak-and-earlier.patch new file mode 100644 index 00000000000..7c3e7118468 --- /dev/null +++ b/queue-5.3/mei-avoid-fw-version-request-on-ibex-peak-and-earlier.patch @@ -0,0 +1,212 @@ +From f8204f0ddd62966a0e79c2804963a21e3540dd82 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Fri, 4 Oct 2019 21:17:22 +0300 +Subject: mei: avoid FW version request on Ibex Peak and earlier + +From: Alexander Usyskin + +commit f8204f0ddd62966a0e79c2804963a21e3540dd82 upstream. + +The fixed MKHI client on PCH 6 gen platforms +does not support fw version retrieval. +The error is not fatal, but it fills up the kernel logs and +slows down the driver start. +This patch disables requesting FW version on GEN6 and earlier platforms. + +Fixes warning: +[ 15.964298] mei mei::55213584-9a29-4916-badf-0fb7ed682aeb:01: Could not read FW version +[ 15.964301] mei mei::55213584-9a29-4916-badf-0fb7ed682aeb:01: version command failed -5 + +Cc: +v4.18 +Cc: Paul Menzel +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20191004181722.31374-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/bus-fixup.c | 14 +++++++++++--- + drivers/misc/mei/hw-me.c | 21 ++++++++++++++++++--- + drivers/misc/mei/hw-me.h | 8 ++++++-- + drivers/misc/mei/mei_dev.h | 4 ++++ + drivers/misc/mei/pci-me.c | 10 +++++----- + 5 files changed, 44 insertions(+), 13 deletions(-) + +--- a/drivers/misc/mei/bus-fixup.c ++++ b/drivers/misc/mei/bus-fixup.c +@@ -218,13 +218,21 @@ static void mei_mkhi_fix(struct mei_cl_d + { + int ret; + ++ /* No need to enable the client if nothing is needed from it */ ++ if (!cldev->bus->fw_f_fw_ver_supported && ++ !cldev->bus->hbm_f_os_supported) ++ return; ++ + ret = mei_cldev_enable(cldev); + if (ret) + return; + +- ret = mei_fwver(cldev); +- if (ret < 0) +- dev_err(&cldev->dev, "FW version command failed %d\n", ret); ++ if (cldev->bus->fw_f_fw_ver_supported) { ++ ret = mei_fwver(cldev); ++ if (ret < 0) ++ dev_err(&cldev->dev, "FW version command failed %d\n", ++ ret); ++ } + + if (cldev->bus->hbm_f_os_supported) { + ret = mei_osver(cldev); +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -1355,6 +1355,8 @@ static bool mei_me_fw_type_sps(struct pc + #define MEI_CFG_FW_SPS \ + .quirk_probe = mei_me_fw_type_sps + ++#define MEI_CFG_FW_VER_SUPP \ ++ .fw_ver_supported = 1 + + #define MEI_CFG_ICH_HFS \ + .fw_status.count = 0 +@@ -1392,31 +1394,41 @@ static const struct mei_cfg mei_me_ich10 + MEI_CFG_ICH10_HFS, + }; + +-/* PCH devices */ +-static const struct mei_cfg mei_me_pch_cfg = { ++/* PCH6 devices */ ++static const struct mei_cfg mei_me_pch6_cfg = { + MEI_CFG_PCH_HFS, + }; + ++/* PCH7 devices */ ++static const struct mei_cfg mei_me_pch7_cfg = { ++ MEI_CFG_PCH_HFS, ++ MEI_CFG_FW_VER_SUPP, ++}; ++ + /* PCH Cougar Point and Patsburg with quirk for Node Manager exclusion */ + static const struct mei_cfg mei_me_pch_cpt_pbg_cfg = { + MEI_CFG_PCH_HFS, ++ MEI_CFG_FW_VER_SUPP, + MEI_CFG_FW_NM, + }; + + /* PCH8 Lynx Point and newer devices */ + static const struct mei_cfg mei_me_pch8_cfg = { + MEI_CFG_PCH8_HFS, ++ MEI_CFG_FW_VER_SUPP, + }; + + /* PCH8 Lynx Point with quirk for SPS Firmware exclusion */ + static const struct mei_cfg mei_me_pch8_sps_cfg = { + MEI_CFG_PCH8_HFS, ++ MEI_CFG_FW_VER_SUPP, + MEI_CFG_FW_SPS, + }; + + /* Cannon Lake and newer devices */ + static const struct mei_cfg mei_me_pch12_cfg = { + MEI_CFG_PCH8_HFS, ++ MEI_CFG_FW_VER_SUPP, + MEI_CFG_DMA_128, + }; + +@@ -1428,7 +1440,8 @@ static const struct mei_cfg *const mei_c + [MEI_ME_UNDEF_CFG] = NULL, + [MEI_ME_ICH_CFG] = &mei_me_ich_cfg, + [MEI_ME_ICH10_CFG] = &mei_me_ich10_cfg, +- [MEI_ME_PCH_CFG] = &mei_me_pch_cfg, ++ [MEI_ME_PCH6_CFG] = &mei_me_pch6_cfg, ++ [MEI_ME_PCH7_CFG] = &mei_me_pch7_cfg, + [MEI_ME_PCH_CPT_PBG_CFG] = &mei_me_pch_cpt_pbg_cfg, + [MEI_ME_PCH8_CFG] = &mei_me_pch8_cfg, + [MEI_ME_PCH8_SPS_CFG] = &mei_me_pch8_sps_cfg, +@@ -1473,6 +1486,8 @@ struct mei_device *mei_me_dev_init(struc + mei_device_init(dev, &pdev->dev, &mei_me_hw_ops); + hw->cfg = cfg; + ++ dev->fw_f_fw_ver_supported = cfg->fw_ver_supported; ++ + return dev; + } + +--- a/drivers/misc/mei/hw-me.h ++++ b/drivers/misc/mei/hw-me.h +@@ -20,11 +20,13 @@ + * @fw_status: FW status + * @quirk_probe: device exclusion quirk + * @dma_size: device DMA buffers size ++ * @fw_ver_supported: is fw version retrievable from FW + */ + struct mei_cfg { + const struct mei_fw_status fw_status; + bool (*quirk_probe)(struct pci_dev *pdev); + size_t dma_size[DMA_DSCR_NUM]; ++ u32 fw_ver_supported:1; + }; + + +@@ -62,7 +64,8 @@ struct mei_me_hw { + * @MEI_ME_UNDEF_CFG: Lower sentinel. + * @MEI_ME_ICH_CFG: I/O Controller Hub legacy devices. + * @MEI_ME_ICH10_CFG: I/O Controller Hub platforms Gen10 +- * @MEI_ME_PCH_CFG: Platform Controller Hub platforms (Up to Gen8). ++ * @MEI_ME_PCH6_CFG: Platform Controller Hub platforms (Gen6). ++ * @MEI_ME_PCH7_CFG: Platform Controller Hub platforms (Gen7). + * @MEI_ME_PCH_CPT_PBG_CFG:Platform Controller Hub workstations + * with quirk for Node Manager exclusion. + * @MEI_ME_PCH8_CFG: Platform Controller Hub Gen8 and newer +@@ -77,7 +80,8 @@ enum mei_cfg_idx { + MEI_ME_UNDEF_CFG, + MEI_ME_ICH_CFG, + MEI_ME_ICH10_CFG, +- MEI_ME_PCH_CFG, ++ MEI_ME_PCH6_CFG, ++ MEI_ME_PCH7_CFG, + MEI_ME_PCH_CPT_PBG_CFG, + MEI_ME_PCH8_CFG, + MEI_ME_PCH8_SPS_CFG, +--- a/drivers/misc/mei/mei_dev.h ++++ b/drivers/misc/mei/mei_dev.h +@@ -426,6 +426,8 @@ struct mei_fw_version { + * + * @fw_ver : FW versions + * ++ * @fw_f_fw_ver_supported : fw feature: fw version supported ++ * + * @me_clients_rwsem: rw lock over me_clients list + * @me_clients : list of FW clients + * @me_clients_map : FW clients bit map +@@ -506,6 +508,8 @@ struct mei_device { + + struct mei_fw_version fw_ver[MEI_MAX_FW_VER_BLOCKS]; + ++ unsigned int fw_f_fw_ver_supported:1; ++ + struct rw_semaphore me_clients_rwsem; + struct list_head me_clients; + DECLARE_BITMAP(me_clients_map, MEI_CLIENTS_MAX); +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -61,13 +61,13 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_3, MEI_ME_ICH10_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_4, MEI_ME_ICH10_CFG)}, + +- {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_1, MEI_ME_PCH_CFG)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_2, MEI_ME_PCH_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_1, MEI_ME_PCH6_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_2, MEI_ME_PCH6_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CPT_1, MEI_ME_PCH_CPT_PBG_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_PBG_1, MEI_ME_PCH_CPT_PBG_CFG)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_1, MEI_ME_PCH_CFG)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_2, MEI_ME_PCH_CFG)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_3, MEI_ME_PCH_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_1, MEI_ME_PCH7_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_2, MEI_ME_PCH7_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_3, MEI_ME_PCH7_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_H, MEI_ME_PCH8_SPS_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_W, MEI_ME_PCH8_SPS_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_LP, MEI_ME_PCH8_CFG)}, diff --git a/queue-5.3/mei-me-add-comet-point-lake-lp-device-ids.patch b/queue-5.3/mei-me-add-comet-point-lake-lp-device-ids.patch new file mode 100644 index 00000000000..e1e163e2d2b --- /dev/null +++ b/queue-5.3/mei-me-add-comet-point-lake-lp-device-ids.patch @@ -0,0 +1,45 @@ +From 4d86dfd38285c83a6df01093b8547f742e3b2470 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Wed, 2 Oct 2019 02:59:57 +0300 +Subject: mei: me: add comet point (lake) LP device ids + +From: Tomas Winkler + +commit 4d86dfd38285c83a6df01093b8547f742e3b2470 upstream. + +Add Comet Point devices IDs for Comet Lake U platforms. + +Cc: +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20191001235958.19979-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me-regs.h | 3 +++ + drivers/misc/mei/pci-me.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -79,6 +79,9 @@ + #define MEI_DEV_ID_CNP_H 0xA360 /* Cannon Point H */ + #define MEI_DEV_ID_CNP_H_4 0xA364 /* Cannon Point H 4 (iTouch) */ + ++#define MEI_DEV_ID_CMP_LP 0x02e0 /* Comet Point LP */ ++#define MEI_DEV_ID_CMP_LP_3 0x02e4 /* Comet Point LP 3 (iTouch) */ ++ + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ + + #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -96,6 +96,9 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH12_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)}, ++ + {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)}, diff --git a/queue-5.3/serial-uartlite-fix-exit-path-null-pointer.patch b/queue-5.3/serial-uartlite-fix-exit-path-null-pointer.patch new file mode 100644 index 00000000000..25571c9b9ba --- /dev/null +++ b/queue-5.3/serial-uartlite-fix-exit-path-null-pointer.patch @@ -0,0 +1,43 @@ +From a553add0846f355a28ed4e81134012e4a1e280c2 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 16 Sep 2019 16:12:23 -0700 +Subject: serial: uartlite: fix exit path null pointer + +From: Randy Dunlap + +commit a553add0846f355a28ed4e81134012e4a1e280c2 upstream. + +Call uart_unregister_driver() conditionally instead of +unconditionally, only if it has been previously registered. + +This uses driver.state, just as the sh-sci.c driver does. + +Fixes this null pointer dereference in tty_unregister_driver(), +since the 'driver' argument is null: + + general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI + RIP: 0010:tty_unregister_driver+0x25/0x1d0 + +Fixes: 238b8721a554 ("[PATCH] serial uartlite driver") +Signed-off-by: Randy Dunlap +Cc: stable +Cc: Peter Korsgaard +Link: https://lore.kernel.org/r/9c8e6581-6fcc-a595-0897-4d90f5d710df@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/uartlite.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/uartlite.c ++++ b/drivers/tty/serial/uartlite.c +@@ -897,7 +897,8 @@ static int __init ulite_init(void) + static void __exit ulite_exit(void) + { + platform_driver_unregister(&ulite_platform_driver); +- uart_unregister_driver(&ulite_uart_driver); ++ if (ulite_uart_driver.state) ++ uart_unregister_driver(&ulite_uart_driver); + } + + module_init(ulite_init); diff --git a/queue-5.3/serial-uartps-fix-uartps_major-handling.patch b/queue-5.3/serial-uartps-fix-uartps_major-handling.patch new file mode 100644 index 00000000000..f787d744b91 --- /dev/null +++ b/queue-5.3/serial-uartps-fix-uartps_major-handling.patch @@ -0,0 +1,58 @@ +From 5e9bd2d70ae7c00a95a22994abf1eef728649e64 Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Fri, 4 Oct 2019 15:04:11 +0200 +Subject: serial: uartps: Fix uartps_major handling + +From: Michal Simek + +commit 5e9bd2d70ae7c00a95a22994abf1eef728649e64 upstream. + +There are two parts which should be fixed. The first one is to assigned +uartps_major at the end of probe() to avoid complicated logic when +something fails. +The second part is initialized uartps_major number to 0 when last device is +removed. This will ensure that on next probe driver will ask for new +dynamic major number. + +Fixes: ab262666018d ("serial: uartps: Use the same dynamic major number for all ports") +Reported-by: Paul Thomas +Cc: stable +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/d2652cda992833315c4f96f06953eb547f928918.1570194248.git.michal.simek@xilinx.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/xilinx_uartps.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1550,7 +1550,6 @@ static int cdns_uart_probe(struct platfo + goto err_out_id; + } + +- uartps_major = cdns_uart_uart_driver->tty_driver->major; + cdns_uart_data->cdns_uart_driver = cdns_uart_uart_driver; + + /* +@@ -1680,6 +1679,7 @@ static int cdns_uart_probe(struct platfo + console_port = NULL; + #endif + ++ uartps_major = cdns_uart_uart_driver->tty_driver->major; + cdns_uart_data->cts_override = of_property_read_bool(pdev->dev.of_node, + "cts-override"); + return 0; +@@ -1741,6 +1741,12 @@ static int cdns_uart_remove(struct platf + console_port = NULL; + #endif + ++ /* If this is last instance major number should be initialized */ ++ mutex_lock(&bitmap_lock); ++ if (bitmap_empty(bitmap, MAX_UART_INSTANCES)) ++ uartps_major = 0; ++ mutex_unlock(&bitmap_lock); ++ + uart_unregister_driver(cdns_uart_data->cdns_uart_driver); + return rc; + } diff --git a/queue-5.3/series b/queue-5.3/series index ff3cd662cd1..fcf97672417 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -2,3 +2,44 @@ panic-ensure-preemption-is-disabled-during-panic.patch usb-rio500-remove-rio-500-kernel-driver.patch usb-yurex-don-t-retry-on-unexpected-errors.patch usb-yurex-fix-null-derefs-on-disconnect.patch +usb-usb-skeleton-fix-runtime-pm-after-driver-unbind.patch +usb-usb-skeleton-fix-null-deref-on-disconnect.patch +xhci-fix-false-warning-message-about-wrong-bounce-buffer-write-length.patch +xhci-prevent-device-initiated-u1-u2-link-pm-if-exit-latency-is-too-long.patch +xhci-check-all-endpoints-for-lpm-timeout.patch +xhci-fix-usb-3.1-capability-detection-on-early-xhci-1.1-spec-based-hosts.patch +usb-xhci-wait-for-cnr-controller-not-ready-bit-in-xhci-resume.patch +xhci-prevent-deadlock-when-xhci-adapter-breaks-during-init.patch +xhci-increase-sts_save-timeout-in-xhci_suspend.patch +xhci-fix-null-pointer-dereference-in-xhci_clear_tt_buffer_complete.patch +usb-adutux-fix-use-after-free-on-disconnect.patch +usb-adutux-fix-null-derefs-on-disconnect.patch +usb-adutux-fix-use-after-free-on-release.patch +usb-iowarrior-fix-use-after-free-on-disconnect.patch +usb-iowarrior-fix-use-after-free-on-release.patch +usb-iowarrior-fix-use-after-free-after-driver-unbind.patch +usb-usblp-fix-runtime-pm-after-driver-unbind.patch +usb-chaoskey-fix-use-after-free-on-release.patch +usb-ldusb-fix-null-derefs-on-driver-unbind.patch +serial-uartlite-fix-exit-path-null-pointer.patch +serial-uartps-fix-uartps_major-handling.patch +usb-serial-keyspan-fix-null-derefs-on-open-and-write.patch +usb-serial-ftdi_sio-add-device-ids-for-sienna-and-echelon-pl-20.patch +usb-serial-option-add-telit-fn980-compositions.patch +usb-serial-option-add-support-for-cinterion-cls8-devices.patch +usb-serial-fix-runtime-pm-after-driver-unbind.patch +usb-usblcd-fix-i-o-after-disconnect.patch +usb-microtek-fix-info-leak-at-probe.patch +usb-dummy-hcd-fix-power-budget-for-superspeed-mode.patch +usb-renesas_usbhs-gadget-do-not-discard-queues-in-usb_ep_set_-halt-wedge.patch +usb-renesas_usbhs-gadget-fix-usb_ep_set_-halt-wedge-behavior.patch +usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-in-tcpm_fw_get_caps.patch +usb-typec-ucsi-ccg-remove-run_isr-flag.patch +usb-typec-ucsi-displayport-fix-for-the-mode-entering-routine.patch +usb-legousbtower-fix-slab-info-leak-at-probe.patch +usb-legousbtower-fix-deadlock-on-disconnect.patch +usb-legousbtower-fix-potential-null-deref-on-disconnect.patch +usb-legousbtower-fix-open-after-failed-reset-request.patch +usb-legousbtower-fix-use-after-free-on-release.patch +mei-me-add-comet-point-lake-lp-device-ids.patch +mei-avoid-fw-version-request-on-ibex-peak-and-earlier.patch diff --git a/queue-5.3/usb-adutux-fix-null-derefs-on-disconnect.patch b/queue-5.3/usb-adutux-fix-null-derefs-on-disconnect.patch new file mode 100644 index 00000000000..d9e919e0b55 --- /dev/null +++ b/queue-5.3/usb-adutux-fix-null-derefs-on-disconnect.patch @@ -0,0 +1,109 @@ +From b2fa7baee744fde746c17bc1860b9c6f5c2eebb7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 25 Sep 2019 11:29:13 +0200 +Subject: USB: adutux: fix NULL-derefs on disconnect + +From: Johan Hovold + +commit b2fa7baee744fde746c17bc1860b9c6f5c2eebb7 upstream. + +The driver was using its struct usb_device pointer as an inverted +disconnected flag, but was setting it to NULL before making sure all +completion handlers had run. This could lead to a NULL-pointer +dereference in a number of dev_dbg statements in the completion handlers +which relies on said pointer. + +The pointer was also dereferenced unconditionally in a dev_dbg statement +release() something which would lead to a NULL-deref whenever a device +was disconnected before the final character-device close if debugging +was enabled. + +Fix this by unconditionally stopping all I/O and preventing +resubmissions by poisoning the interrupt URBs at disconnect and using a +dedicated disconnected flag. + +This also makes sure that all I/O has completed by the time the +disconnect callback returns. + +Fixes: 1ef37c6047fe ("USB: adutux: remove custom debug macro and module parameter") +Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro") +Cc: stable # 3.12 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20190925092913.8608-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/adutux.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -75,6 +75,7 @@ struct adu_device { + char serial_number[8]; + + int open_count; /* number of times this port has been opened */ ++ unsigned long disconnected:1; + + char *read_buffer_primary; + int read_buffer_length; +@@ -116,7 +117,7 @@ static void adu_abort_transfers(struct a + { + unsigned long flags; + +- if (dev->udev == NULL) ++ if (dev->disconnected) + return; + + /* shutdown transfer */ +@@ -243,7 +244,7 @@ static int adu_open(struct inode *inode, + } + + dev = usb_get_intfdata(interface); +- if (!dev || !dev->udev) { ++ if (!dev) { + retval = -ENODEV; + goto exit_no_device; + } +@@ -326,7 +327,7 @@ static int adu_release(struct inode *ino + } + + adu_release_internal(dev); +- if (dev->udev == NULL) { ++ if (dev->disconnected) { + /* the device was unplugged before the file was released */ + if (!dev->open_count) /* ... and we're the last user */ + adu_delete(dev); +@@ -354,7 +355,7 @@ static ssize_t adu_read(struct file *fil + return -ERESTARTSYS; + + /* verify that the device wasn't unplugged */ +- if (dev->udev == NULL) { ++ if (dev->disconnected) { + retval = -ENODEV; + pr_err("No device or device unplugged %d\n", retval); + goto exit; +@@ -518,7 +519,7 @@ static ssize_t adu_write(struct file *fi + goto exit_nolock; + + /* verify that the device wasn't unplugged */ +- if (dev->udev == NULL) { ++ if (dev->disconnected) { + retval = -ENODEV; + pr_err("No device or device unplugged %d\n", retval); + goto exit; +@@ -764,11 +765,14 @@ static void adu_disconnect(struct usb_in + + usb_deregister_dev(interface, &adu_class); + ++ usb_poison_urb(dev->interrupt_in_urb); ++ usb_poison_urb(dev->interrupt_out_urb); ++ + mutex_lock(&adutux_mutex); + usb_set_intfdata(interface, NULL); + + mutex_lock(&dev->mtx); /* not interruptible */ +- dev->udev = NULL; /* poison */ ++ dev->disconnected = 1; + mutex_unlock(&dev->mtx); + + /* if the device is not opened, then we clean up right now */ diff --git a/queue-5.3/usb-adutux-fix-use-after-free-on-disconnect.patch b/queue-5.3/usb-adutux-fix-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..f804fd073d2 --- /dev/null +++ b/queue-5.3/usb-adutux-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,52 @@ +From 44efc269db7929f6275a1fa927ef082e533ecde0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 25 Sep 2019 11:29:12 +0200 +Subject: USB: adutux: fix use-after-free on disconnect + +From: Johan Hovold + +commit 44efc269db7929f6275a1fa927ef082e533ecde0 upstream. + +The driver was clearing its struct usb_device pointer, which it used as +an inverted disconnected flag, before deregistering the character device +and without serialising against racing release(). + +This could lead to a use-after-free if a racing release() callback +observes the cleared pointer and frees the driver data before +disconnect() is finished with it. + +This could also lead to NULL-pointer dereferences in a racing open(). + +Fixes: f08812d5eb8f ("USB: FIx locks and urb->status in adutux (updated)") +Cc: stable # 2.6.24 +Reported-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com +Tested-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20190925092913.8608-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/adutux.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -762,14 +762,15 @@ static void adu_disconnect(struct usb_in + + dev = usb_get_intfdata(interface); + +- mutex_lock(&dev->mtx); /* not interruptible */ +- dev->udev = NULL; /* poison */ + usb_deregister_dev(interface, &adu_class); +- mutex_unlock(&dev->mtx); + + mutex_lock(&adutux_mutex); + usb_set_intfdata(interface, NULL); + ++ mutex_lock(&dev->mtx); /* not interruptible */ ++ dev->udev = NULL; /* poison */ ++ mutex_unlock(&dev->mtx); ++ + /* if the device is not opened, then we clean up right now */ + if (!dev->open_count) + adu_delete(dev); diff --git a/queue-5.3/usb-adutux-fix-use-after-free-on-release.patch b/queue-5.3/usb-adutux-fix-use-after-free-on-release.patch new file mode 100644 index 00000000000..9e01488f108 --- /dev/null +++ b/queue-5.3/usb-adutux-fix-use-after-free-on-release.patch @@ -0,0 +1,43 @@ +From 123a0f125fa3d2104043697baa62899d9e549272 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 17:38:44 +0200 +Subject: USB: adutux: fix use-after-free on release + +From: Johan Hovold + +commit 123a0f125fa3d2104043697baa62899d9e549272 upstream. + +The driver was accessing its struct usb_device in its release() +callback without holding a reference. This would lead to a +use-after-free whenever the device was disconnected while the character +device was still open. + +Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro") +Cc: stable # 3.12 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009153848.8664-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/adutux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -149,6 +149,7 @@ static void adu_delete(struct adu_device + kfree(dev->read_buffer_secondary); + kfree(dev->interrupt_in_buffer); + kfree(dev->interrupt_out_buffer); ++ usb_put_dev(dev->udev); + kfree(dev); + } + +@@ -664,7 +665,7 @@ static int adu_probe(struct usb_interfac + + mutex_init(&dev->mtx); + spin_lock_init(&dev->buflock); +- dev->udev = udev; ++ dev->udev = usb_get_dev(udev); + init_waitqueue_head(&dev->read_wait); + init_waitqueue_head(&dev->write_wait); + diff --git a/queue-5.3/usb-chaoskey-fix-use-after-free-on-release.patch b/queue-5.3/usb-chaoskey-fix-use-after-free-on-release.patch new file mode 100644 index 00000000000..cc0005fe379 --- /dev/null +++ b/queue-5.3/usb-chaoskey-fix-use-after-free-on-release.patch @@ -0,0 +1,52 @@ +From 93ddb1f56ae102f14f9e46a9a9c8017faa970003 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 17:38:45 +0200 +Subject: USB: chaoskey: fix use-after-free on release + +From: Johan Hovold + +commit 93ddb1f56ae102f14f9e46a9a9c8017faa970003 upstream. + +The driver was accessing its struct usb_interface in its release() +callback without holding a reference. This would lead to a +use-after-free whenever the device was disconnected while the character +device was still open. + +Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)") +Cc: stable # 4.1 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009153848.8664-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/chaoskey.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/misc/chaoskey.c ++++ b/drivers/usb/misc/chaoskey.c +@@ -98,6 +98,7 @@ static void chaoskey_free(struct chaoske + usb_free_urb(dev->urb); + kfree(dev->name); + kfree(dev->buf); ++ usb_put_intf(dev->interface); + kfree(dev); + } + } +@@ -145,6 +146,8 @@ static int chaoskey_probe(struct usb_int + if (dev == NULL) + goto out; + ++ dev->interface = usb_get_intf(interface); ++ + dev->buf = kmalloc(size, GFP_KERNEL); + + if (dev->buf == NULL) +@@ -174,8 +177,6 @@ static int chaoskey_probe(struct usb_int + goto out; + } + +- dev->interface = interface; +- + dev->in_ep = in_ep; + + if (le16_to_cpu(udev->descriptor.idVendor) != ALEA_VENDOR_ID) diff --git a/queue-5.3/usb-dummy-hcd-fix-power-budget-for-superspeed-mode.patch b/queue-5.3/usb-dummy-hcd-fix-power-budget-for-superspeed-mode.patch new file mode 100644 index 00000000000..183f9e9c815 --- /dev/null +++ b/queue-5.3/usb-dummy-hcd-fix-power-budget-for-superspeed-mode.patch @@ -0,0 +1,48 @@ +From 2636d49b64671d3d90ecc4daf971b58df3956519 Mon Sep 17 00:00:00 2001 +From: "Jacky.Cao@sony.com" +Date: Thu, 5 Sep 2019 04:11:57 +0000 +Subject: USB: dummy-hcd: fix power budget for SuperSpeed mode + +From: Jacky.Cao@sony.com + +commit 2636d49b64671d3d90ecc4daf971b58df3956519 upstream. + +The power budget for SuperSpeed mode should be 900 mA +according to USB specification, so set the power budget +to 900mA for dummy_start_ss which is only used for +SuperSpeed mode. + +If the max power consumption of SuperSpeed device is +larger than 500 mA, insufficient available bus power +error happens in usb_choose_configuration function +when the device connects to dummy hcd. + +Signed-off-by: Jacky Cao +Acked-by: Alan Stern +Cc: stable +Link: https://lore.kernel.org/r/16EA1F625E922C43B00B9D82250220500871CDE5@APYOKXMS108.ap.sony.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -48,6 +48,7 @@ + #define DRIVER_VERSION "02 May 2005" + + #define POWER_BUDGET 500 /* in mA; use 8 for low-power port testing */ ++#define POWER_BUDGET_3 900 /* in mA */ + + static const char driver_name[] = "dummy_hcd"; + static const char driver_desc[] = "USB Host+Gadget Emulator"; +@@ -2432,7 +2433,7 @@ static int dummy_start_ss(struct dummy_h + dum_hcd->rh_state = DUMMY_RH_RUNNING; + dum_hcd->stream_en_ep = 0; + INIT_LIST_HEAD(&dum_hcd->urbp_list); +- dummy_hcd_to_hcd(dum_hcd)->power_budget = POWER_BUDGET; ++ dummy_hcd_to_hcd(dum_hcd)->power_budget = POWER_BUDGET_3; + dummy_hcd_to_hcd(dum_hcd)->state = HC_STATE_RUNNING; + dummy_hcd_to_hcd(dum_hcd)->uses_new_polling = 1; + #ifdef CONFIG_USB_OTG diff --git a/queue-5.3/usb-iowarrior-fix-use-after-free-after-driver-unbind.patch b/queue-5.3/usb-iowarrior-fix-use-after-free-after-driver-unbind.patch new file mode 100644 index 00000000000..cf07ec005bb --- /dev/null +++ b/queue-5.3/usb-iowarrior-fix-use-after-free-after-driver-unbind.patch @@ -0,0 +1,63 @@ +From b5f8d46867ca233d773408ffbe691a8062ed718f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 12:48:43 +0200 +Subject: USB: iowarrior: fix use-after-free after driver unbind + +From: Johan Hovold + +commit b5f8d46867ca233d773408ffbe691a8062ed718f upstream. + +Make sure to stop also the asynchronous write URBs on disconnect() to +avoid use-after-free in the completion handler after driver unbind. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Cc: stable # 2.6.21: 51a2f077c44e ("USB: introduce usb_anchor") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009104846.5925-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -87,6 +87,7 @@ struct iowarrior { + char chip_serial[9]; /* the serial number string of the chip connected */ + int report_size; /* number of bytes in a report */ + u16 product_id; ++ struct usb_anchor submitted; + }; + + /*--------------*/ +@@ -425,11 +426,13 @@ static ssize_t iowarrior_write(struct fi + retval = -EFAULT; + goto error; + } ++ usb_anchor_urb(int_out_urb, &dev->submitted); + retval = usb_submit_urb(int_out_urb, GFP_KERNEL); + if (retval) { + dev_dbg(&dev->interface->dev, + "submit error %d for urb nr.%d\n", + retval, atomic_read(&dev->write_busy)); ++ usb_unanchor_urb(int_out_urb); + goto error; + } + /* submit was ok */ +@@ -770,6 +773,8 @@ static int iowarrior_probe(struct usb_in + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + ++ init_usb_anchor(&dev->submitted); ++ + res = usb_find_last_int_in_endpoint(iface_desc, &dev->int_in_endpoint); + if (res) { + dev_err(&interface->dev, "no interrupt-in endpoint found\n"); +@@ -885,6 +890,7 @@ static void iowarrior_disconnect(struct + Deleting the device is postponed until close() was called. + */ + usb_kill_urb(dev->int_in_urb); ++ usb_kill_anchored_urbs(&dev->submitted); + wake_up_interruptible(&dev->read_wait); + wake_up_interruptible(&dev->write_wait); + mutex_unlock(&dev->mutex); diff --git a/queue-5.3/usb-iowarrior-fix-use-after-free-on-disconnect.patch b/queue-5.3/usb-iowarrior-fix-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..a6cabd16e65 --- /dev/null +++ b/queue-5.3/usb-iowarrior-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,63 @@ +From edc4746f253d907d048de680a621e121517f484b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 12:48:41 +0200 +Subject: USB: iowarrior: fix use-after-free on disconnect + +From: Johan Hovold + +commit edc4746f253d907d048de680a621e121517f484b upstream. + +A recent fix addressing a deadlock on disconnect introduced a new bug +by moving the present flag out of the critical section protected by the +driver-data mutex. This could lead to a racing release() freeing the +driver data before disconnect() is done with it. + +Due to insufficient locking a related use-after-free could be triggered +also before the above mentioned commit. Specifically, the driver needs +to hold the driver-data mutex also while checking the opened flag at +disconnect(). + +Fixes: c468a8aa790e ("usb: iowarrior: fix deadlock on disconnect") +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Cc: stable # 2.6.21 +Reported-by: syzbot+0761012cebf7bdb38137@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009104846.5925-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -866,8 +866,6 @@ static void iowarrior_disconnect(struct + dev = usb_get_intfdata(interface); + mutex_lock(&iowarrior_open_disc_lock); + usb_set_intfdata(interface, NULL); +- /* prevent device read, write and ioctl */ +- dev->present = 0; + + minor = dev->minor; + mutex_unlock(&iowarrior_open_disc_lock); +@@ -878,8 +876,7 @@ static void iowarrior_disconnect(struct + mutex_lock(&dev->mutex); + + /* prevent device read, write and ioctl */ +- +- mutex_unlock(&dev->mutex); ++ dev->present = 0; + + if (dev->opened) { + /* There is a process that holds a filedescriptor to the device , +@@ -889,8 +886,10 @@ static void iowarrior_disconnect(struct + usb_kill_urb(dev->int_in_urb); + wake_up_interruptible(&dev->read_wait); + wake_up_interruptible(&dev->write_wait); ++ mutex_unlock(&dev->mutex); + } else { + /* no process is using the device, cleanup now */ ++ mutex_unlock(&dev->mutex); + iowarrior_delete(dev); + } + diff --git a/queue-5.3/usb-iowarrior-fix-use-after-free-on-release.patch b/queue-5.3/usb-iowarrior-fix-use-after-free-on-release.patch new file mode 100644 index 00000000000..4ba76557b16 --- /dev/null +++ b/queue-5.3/usb-iowarrior-fix-use-after-free-on-release.patch @@ -0,0 +1,43 @@ +From 80cd5479b525093a56ef768553045741af61b250 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 12:48:42 +0200 +Subject: USB: iowarrior: fix use-after-free on release + +From: Johan Hovold + +commit 80cd5479b525093a56ef768553045741af61b250 upstream. + +The driver was accessing its struct usb_interface from its release() +callback without holding a reference. This would lead to a +use-after-free whenever debugging was enabled and the device was +disconnected while its character device was open. + +Fixes: 549e83500b80 ("USB: iowarrior: Convert local dbg macro to dev_dbg") +Cc: stable # 3.16 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009104846.5925-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -243,6 +243,7 @@ static inline void iowarrior_delete(stru + kfree(dev->int_in_buffer); + usb_free_urb(dev->int_in_urb); + kfree(dev->read_queue); ++ usb_put_intf(dev->interface); + kfree(dev); + } + +@@ -764,7 +765,7 @@ static int iowarrior_probe(struct usb_in + init_waitqueue_head(&dev->write_wait); + + dev->udev = udev; +- dev->interface = interface; ++ dev->interface = usb_get_intf(interface); + + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); diff --git a/queue-5.3/usb-ldusb-fix-null-derefs-on-driver-unbind.patch b/queue-5.3/usb-ldusb-fix-null-derefs-on-driver-unbind.patch new file mode 100644 index 00000000000..4d300b6cb7a --- /dev/null +++ b/queue-5.3/usb-ldusb-fix-null-derefs-on-driver-unbind.patch @@ -0,0 +1,130 @@ +From 58ecf131e74620305175a7aa103f81350bb37570 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 17:38:46 +0200 +Subject: USB: ldusb: fix NULL-derefs on driver unbind + +From: Johan Hovold + +commit 58ecf131e74620305175a7aa103f81350bb37570 upstream. + +The driver was using its struct usb_interface pointer as an inverted +disconnected flag, but was setting it to NULL before making sure all +completion handlers had run. This could lead to a NULL-pointer +dereference in a number of dev_dbg, dev_warn and dev_err statements in +the completion handlers which relies on said pointer. + +Fix this by unconditionally stopping all I/O and preventing +resubmissions by poisoning the interrupt URBs at disconnect and using a +dedicated disconnected flag. + +This also makes sure that all I/O has completed by the time the +disconnect callback returns. + +Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver") +Cc: stable # 2.6.13 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009153848.8664-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/ldusb.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/usb/misc/ldusb.c ++++ b/drivers/usb/misc/ldusb.c +@@ -153,6 +153,7 @@ MODULE_PARM_DESC(min_interrupt_out_inter + struct ld_usb { + struct mutex mutex; /* locks this structure */ + struct usb_interface *intf; /* save off the usb interface pointer */ ++ unsigned long disconnected:1; + + int open_count; /* number of times this port has been opened */ + +@@ -192,12 +193,10 @@ static void ld_usb_abort_transfers(struc + /* shutdown transfer */ + if (dev->interrupt_in_running) { + dev->interrupt_in_running = 0; +- if (dev->intf) +- usb_kill_urb(dev->interrupt_in_urb); ++ usb_kill_urb(dev->interrupt_in_urb); + } + if (dev->interrupt_out_busy) +- if (dev->intf) +- usb_kill_urb(dev->interrupt_out_urb); ++ usb_kill_urb(dev->interrupt_out_urb); + } + + /** +@@ -205,8 +204,6 @@ static void ld_usb_abort_transfers(struc + */ + static void ld_usb_delete(struct ld_usb *dev) + { +- ld_usb_abort_transfers(dev); +- + /* free data structures */ + usb_free_urb(dev->interrupt_in_urb); + usb_free_urb(dev->interrupt_out_urb); +@@ -263,7 +260,7 @@ static void ld_usb_interrupt_in_callback + + resubmit: + /* resubmit if we're still running */ +- if (dev->interrupt_in_running && !dev->buffer_overflow && dev->intf) { ++ if (dev->interrupt_in_running && !dev->buffer_overflow) { + retval = usb_submit_urb(dev->interrupt_in_urb, GFP_ATOMIC); + if (retval) { + dev_err(&dev->intf->dev, +@@ -392,7 +389,7 @@ static int ld_usb_release(struct inode * + retval = -ENODEV; + goto unlock_exit; + } +- if (dev->intf == NULL) { ++ if (dev->disconnected) { + /* the device was unplugged before the file was released */ + mutex_unlock(&dev->mutex); + /* unlock here as ld_usb_delete frees dev */ +@@ -423,7 +420,7 @@ static __poll_t ld_usb_poll(struct file + + dev = file->private_data; + +- if (!dev->intf) ++ if (dev->disconnected) + return EPOLLERR | EPOLLHUP; + + poll_wait(file, &dev->read_wait, wait); +@@ -462,7 +459,7 @@ static ssize_t ld_usb_read(struct file * + } + + /* verify that the device wasn't unplugged */ +- if (dev->intf == NULL) { ++ if (dev->disconnected) { + retval = -ENODEV; + printk(KERN_ERR "ldusb: No device or device unplugged %d\n", retval); + goto unlock_exit; +@@ -542,7 +539,7 @@ static ssize_t ld_usb_write(struct file + } + + /* verify that the device wasn't unplugged */ +- if (dev->intf == NULL) { ++ if (dev->disconnected) { + retval = -ENODEV; + printk(KERN_ERR "ldusb: No device or device unplugged %d\n", retval); + goto unlock_exit; +@@ -764,6 +761,9 @@ static void ld_usb_disconnect(struct usb + /* give back our minor */ + usb_deregister_dev(intf, &ld_usb_class); + ++ usb_poison_urb(dev->interrupt_in_urb); ++ usb_poison_urb(dev->interrupt_out_urb); ++ + mutex_lock(&dev->mutex); + + /* if the device is not opened, then we clean up right now */ +@@ -771,7 +771,7 @@ static void ld_usb_disconnect(struct usb + mutex_unlock(&dev->mutex); + ld_usb_delete(dev); + } else { +- dev->intf = NULL; ++ dev->disconnected = 1; + /* wake up pollers */ + wake_up_interruptible_all(&dev->read_wait); + wake_up_interruptible_all(&dev->write_wait); diff --git a/queue-5.3/usb-legousbtower-fix-deadlock-on-disconnect.patch b/queue-5.3/usb-legousbtower-fix-deadlock-on-disconnect.patch new file mode 100644 index 00000000000..8c9661a4a17 --- /dev/null +++ b/queue-5.3/usb-legousbtower-fix-deadlock-on-disconnect.patch @@ -0,0 +1,125 @@ +From 33a7813219f208f4952ece60ee255fd983272dec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Sep 2019 10:30:37 +0200 +Subject: USB: legousbtower: fix deadlock on disconnect + +From: Johan Hovold + +commit 33a7813219f208f4952ece60ee255fd983272dec upstream. + +Fix a potential deadlock if disconnect races with open. + +Since commit d4ead16f50f9 ("USB: prevent char device open/deregister +race") core holds an rw-semaphore while open is called and when +releasing the minor number during deregistration. This can lead to an +ABBA deadlock if a driver takes a lock in open which it also holds +during deregistration. + +This effectively reverts commit 78663ecc344b ("USB: disconnect open race +in legousbtower") which needlessly introduced this issue after a generic +fix for this race had been added to core by commit d4ead16f50f9 ("USB: +prevent char device open/deregister race"). + +Fixes: 78663ecc344b ("USB: disconnect open race in legousbtower") +Cc: stable # 2.6.24 +Reported-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com +Tested-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20190919083039.30898-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/legousbtower.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +--- a/drivers/usb/misc/legousbtower.c ++++ b/drivers/usb/misc/legousbtower.c +@@ -179,7 +179,6 @@ static const struct usb_device_id tower_ + }; + + MODULE_DEVICE_TABLE (usb, tower_table); +-static DEFINE_MUTEX(open_disc_mutex); + + #define LEGO_USB_TOWER_MINOR_BASE 160 + +@@ -332,18 +331,14 @@ static int tower_open (struct inode *ino + goto exit; + } + +- mutex_lock(&open_disc_mutex); + dev = usb_get_intfdata(interface); +- + if (!dev) { +- mutex_unlock(&open_disc_mutex); + retval = -ENODEV; + goto exit; + } + + /* lock this device */ + if (mutex_lock_interruptible(&dev->lock)) { +- mutex_unlock(&open_disc_mutex); + retval = -ERESTARTSYS; + goto exit; + } +@@ -351,12 +346,10 @@ static int tower_open (struct inode *ino + + /* allow opening only once */ + if (dev->open_count) { +- mutex_unlock(&open_disc_mutex); + retval = -EBUSY; + goto unlock_exit; + } + dev->open_count = 1; +- mutex_unlock(&open_disc_mutex); + + /* reset the tower */ + result = usb_control_msg (dev->udev, +@@ -423,10 +416,9 @@ static int tower_release (struct inode * + + if (dev == NULL) { + retval = -ENODEV; +- goto exit_nolock; ++ goto exit; + } + +- mutex_lock(&open_disc_mutex); + if (mutex_lock_interruptible(&dev->lock)) { + retval = -ERESTARTSYS; + goto exit; +@@ -456,10 +448,7 @@ static int tower_release (struct inode * + + unlock_exit: + mutex_unlock(&dev->lock); +- + exit: +- mutex_unlock(&open_disc_mutex); +-exit_nolock: + return retval; + } + +@@ -912,7 +901,6 @@ static int tower_probe (struct usb_inter + if (retval) { + /* something prevented us from registering this driver */ + dev_err(idev, "Not able to get a minor for this device.\n"); +- usb_set_intfdata (interface, NULL); + goto error; + } + dev->minor = interface->minor; +@@ -944,16 +932,13 @@ static void tower_disconnect (struct usb + int minor; + + dev = usb_get_intfdata (interface); +- mutex_lock(&open_disc_mutex); +- usb_set_intfdata (interface, NULL); + + minor = dev->minor; + +- /* give back our minor */ ++ /* give back our minor and prevent further open() */ + usb_deregister_dev (interface, &tower_class); + + mutex_lock(&dev->lock); +- mutex_unlock(&open_disc_mutex); + + /* if the device is not opened, then we clean up right now */ + if (!dev->open_count) { diff --git a/queue-5.3/usb-legousbtower-fix-open-after-failed-reset-request.patch b/queue-5.3/usb-legousbtower-fix-open-after-failed-reset-request.patch new file mode 100644 index 00000000000..45955f6d466 --- /dev/null +++ b/queue-5.3/usb-legousbtower-fix-open-after-failed-reset-request.patch @@ -0,0 +1,51 @@ +From 0b074f6986751361ff442bc1127c1648567aa8d6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Sep 2019 10:30:39 +0200 +Subject: USB: legousbtower: fix open after failed reset request + +From: Johan Hovold + +commit 0b074f6986751361ff442bc1127c1648567aa8d6 upstream. + +The driver would return with a nonzero open count in case the reset +control request failed. This would prevent any further attempts to open +the char dev until the device was disconnected. + +Fix this by incrementing the open count only on successful open. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Cc: stable +Link: https://lore.kernel.org/r/20190919083039.30898-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/legousbtower.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/misc/legousbtower.c ++++ b/drivers/usb/misc/legousbtower.c +@@ -348,7 +348,6 @@ static int tower_open (struct inode *ino + retval = -EBUSY; + goto unlock_exit; + } +- dev->open_count = 1; + + /* reset the tower */ + result = usb_control_msg (dev->udev, +@@ -388,13 +387,14 @@ static int tower_open (struct inode *ino + dev_err(&dev->udev->dev, + "Couldn't submit interrupt_in_urb %d\n", retval); + dev->interrupt_in_running = 0; +- dev->open_count = 0; + goto unlock_exit; + } + + /* save device in the file's private structure */ + file->private_data = dev; + ++ dev->open_count = 1; ++ + unlock_exit: + mutex_unlock(&dev->lock); + diff --git a/queue-5.3/usb-legousbtower-fix-potential-null-deref-on-disconnect.patch b/queue-5.3/usb-legousbtower-fix-potential-null-deref-on-disconnect.patch new file mode 100644 index 00000000000..a9e2e41c0af --- /dev/null +++ b/queue-5.3/usb-legousbtower-fix-potential-null-deref-on-disconnect.patch @@ -0,0 +1,140 @@ +From cd81e6fa8e033e7bcd59415b4a65672b4780030b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Sep 2019 10:30:38 +0200 +Subject: USB: legousbtower: fix potential NULL-deref on disconnect + +From: Johan Hovold + +commit cd81e6fa8e033e7bcd59415b4a65672b4780030b upstream. + +The driver is using its struct usb_device pointer as an inverted +disconnected flag, but was setting it to NULL before making sure all +completion handlers had run. This could lead to a NULL-pointer +dereference in a number of dev_dbg and dev_err statements in the +completion handlers which relies on said pointer. + +Fix this by unconditionally stopping all I/O and preventing +resubmissions by poisoning the interrupt URBs at disconnect and using a +dedicated disconnected flag. + +This also makes sure that all I/O has completed by the time the +disconnect callback returns. + +Fixes: 9d974b2a06e3 ("USB: legousbtower.c: remove err() usage") +Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro") +Fixes: 4dae99638097 ("USB: legotower: remove custom debug macro and module parameter") +Cc: stable # 3.5 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20190919083039.30898-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/legousbtower.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +--- a/drivers/usb/misc/legousbtower.c ++++ b/drivers/usb/misc/legousbtower.c +@@ -190,6 +190,7 @@ struct lego_usb_tower { + unsigned char minor; /* the starting minor number for this device */ + + int open_count; /* number of times this port has been opened */ ++ unsigned long disconnected:1; + + char* read_buffer; + size_t read_buffer_length; /* this much came in */ +@@ -289,8 +290,6 @@ static inline void lego_usb_tower_debug_ + */ + static inline void tower_delete (struct lego_usb_tower *dev) + { +- tower_abort_transfers (dev); +- + /* free data structures */ + usb_free_urb(dev->interrupt_in_urb); + usb_free_urb(dev->interrupt_out_urb); +@@ -430,7 +429,8 @@ static int tower_release (struct inode * + retval = -ENODEV; + goto unlock_exit; + } +- if (dev->udev == NULL) { ++ ++ if (dev->disconnected) { + /* the device was unplugged before the file was released */ + + /* unlock here as tower_delete frees dev */ +@@ -466,10 +466,9 @@ static void tower_abort_transfers (struc + if (dev->interrupt_in_running) { + dev->interrupt_in_running = 0; + mb(); +- if (dev->udev) +- usb_kill_urb (dev->interrupt_in_urb); ++ usb_kill_urb(dev->interrupt_in_urb); + } +- if (dev->interrupt_out_busy && dev->udev) ++ if (dev->interrupt_out_busy) + usb_kill_urb(dev->interrupt_out_urb); + } + +@@ -505,7 +504,7 @@ static __poll_t tower_poll (struct file + + dev = file->private_data; + +- if (!dev->udev) ++ if (dev->disconnected) + return EPOLLERR | EPOLLHUP; + + poll_wait(file, &dev->read_wait, wait); +@@ -552,7 +551,7 @@ static ssize_t tower_read (struct file * + } + + /* verify that the device wasn't unplugged */ +- if (dev->udev == NULL) { ++ if (dev->disconnected) { + retval = -ENODEV; + pr_err("No device or device unplugged %d\n", retval); + goto unlock_exit; +@@ -638,7 +637,7 @@ static ssize_t tower_write (struct file + } + + /* verify that the device wasn't unplugged */ +- if (dev->udev == NULL) { ++ if (dev->disconnected) { + retval = -ENODEV; + pr_err("No device or device unplugged %d\n", retval); + goto unlock_exit; +@@ -748,7 +747,7 @@ static void tower_interrupt_in_callback + + resubmit: + /* resubmit if we're still running */ +- if (dev->interrupt_in_running && dev->udev) { ++ if (dev->interrupt_in_running) { + retval = usb_submit_urb (dev->interrupt_in_urb, GFP_ATOMIC); + if (retval) + dev_err(&dev->udev->dev, +@@ -813,6 +812,7 @@ static int tower_probe (struct usb_inter + + dev->udev = udev; + dev->open_count = 0; ++ dev->disconnected = 0; + + dev->read_buffer = NULL; + dev->read_buffer_length = 0; +@@ -938,6 +938,10 @@ static void tower_disconnect (struct usb + /* give back our minor and prevent further open() */ + usb_deregister_dev (interface, &tower_class); + ++ /* stop I/O */ ++ usb_poison_urb(dev->interrupt_in_urb); ++ usb_poison_urb(dev->interrupt_out_urb); ++ + mutex_lock(&dev->lock); + + /* if the device is not opened, then we clean up right now */ +@@ -945,7 +949,7 @@ static void tower_disconnect (struct usb + mutex_unlock(&dev->lock); + tower_delete (dev); + } else { +- dev->udev = NULL; ++ dev->disconnected = 1; + /* wake up pollers */ + wake_up_interruptible_all(&dev->read_wait); + wake_up_interruptible_all(&dev->write_wait); diff --git a/queue-5.3/usb-legousbtower-fix-slab-info-leak-at-probe.patch b/queue-5.3/usb-legousbtower-fix-slab-info-leak-at-probe.patch new file mode 100644 index 00000000000..7b2c3913e9d --- /dev/null +++ b/queue-5.3/usb-legousbtower-fix-slab-info-leak-at-probe.patch @@ -0,0 +1,38 @@ +From 1d427be4a39defadda6dd8f4659bc17f7591740f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Sep 2019 10:30:36 +0200 +Subject: USB: legousbtower: fix slab info leak at probe + +From: Johan Hovold + +commit 1d427be4a39defadda6dd8f4659bc17f7591740f upstream. + +Make sure to check for short transfers when retrieving the version +information at probe to avoid leaking uninitialised slab data when +logging it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20190919083039.30898-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/legousbtower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/misc/legousbtower.c ++++ b/drivers/usb/misc/legousbtower.c +@@ -891,8 +891,10 @@ static int tower_probe (struct usb_inter + get_version_reply, + sizeof(*get_version_reply), + 1000); +- if (result < 0) { +- dev_err(idev, "LEGO USB Tower get version control request failed\n"); ++ if (result < sizeof(*get_version_reply)) { ++ if (result >= 0) ++ result = -EIO; ++ dev_err(idev, "get version request failed: %d\n", result); + retval = result; + goto error; + } diff --git a/queue-5.3/usb-legousbtower-fix-use-after-free-on-release.patch b/queue-5.3/usb-legousbtower-fix-use-after-free-on-release.patch new file mode 100644 index 00000000000..05a3ceb5c35 --- /dev/null +++ b/queue-5.3/usb-legousbtower-fix-use-after-free-on-release.patch @@ -0,0 +1,43 @@ +From 726b55d0e22ca72c69c947af87785c830289ddbc Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 17:38:47 +0200 +Subject: USB: legousbtower: fix use-after-free on release + +From: Johan Hovold + +commit 726b55d0e22ca72c69c947af87785c830289ddbc upstream. + +The driver was accessing its struct usb_device in its release() +callback without holding a reference. This would lead to a +use-after-free whenever the device was disconnected while the character +device was still open. + +Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro") +Cc: stable # 3.12 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009153848.8664-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/legousbtower.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/misc/legousbtower.c ++++ b/drivers/usb/misc/legousbtower.c +@@ -296,6 +296,7 @@ static inline void tower_delete (struct + kfree (dev->read_buffer); + kfree (dev->interrupt_in_buffer); + kfree (dev->interrupt_out_buffer); ++ usb_put_dev(dev->udev); + kfree (dev); + } + +@@ -810,7 +811,7 @@ static int tower_probe (struct usb_inter + + mutex_init(&dev->lock); + +- dev->udev = udev; ++ dev->udev = usb_get_dev(udev); + dev->open_count = 0; + dev->disconnected = 0; + diff --git a/queue-5.3/usb-microtek-fix-info-leak-at-probe.patch b/queue-5.3/usb-microtek-fix-info-leak-at-probe.patch new file mode 100644 index 00000000000..cf474ae5f9e --- /dev/null +++ b/queue-5.3/usb-microtek-fix-info-leak-at-probe.patch @@ -0,0 +1,38 @@ +From 177238c3d47d54b2ed8f0da7a4290db492f4a057 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 3 Oct 2019 09:09:31 +0200 +Subject: USB: microtek: fix info-leak at probe + +From: Johan Hovold + +commit 177238c3d47d54b2ed8f0da7a4290db492f4a057 upstream. + +Add missing bulk-in endpoint sanity check to prevent uninitialised stack +data from being reported to the system log and used as endpoint +addresses. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Reported-by: syzbot+5630ca7c3b2be5c9da5e@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Acked-by: Oliver Neukum +Link: https://lore.kernel.org/r/20191003070931.17009-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/image/microtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/image/microtek.c ++++ b/drivers/usb/image/microtek.c +@@ -716,6 +716,10 @@ static int mts_usb_probe(struct usb_inte + + } + ++ if (ep_in_current != &ep_in_set[2]) { ++ MTS_WARNING("couldn't find two input bulk endpoints. Bailing out.\n"); ++ return -ENODEV; ++ } + + if ( ep_out == -1 ) { + MTS_WARNING( "couldn't find an output bulk endpoint. Bailing out.\n" ); diff --git a/queue-5.3/usb-renesas_usbhs-gadget-do-not-discard-queues-in-usb_ep_set_-halt-wedge.patch b/queue-5.3/usb-renesas_usbhs-gadget-do-not-discard-queues-in-usb_ep_set_-halt-wedge.patch new file mode 100644 index 00000000000..0fa4336dcde --- /dev/null +++ b/queue-5.3/usb-renesas_usbhs-gadget-do-not-discard-queues-in-usb_ep_set_-halt-wedge.patch @@ -0,0 +1,36 @@ +From 1aae1394294cb71c6aa0bc904a94a7f2f1e75936 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 1 Oct 2019 19:10:32 +0900 +Subject: usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}() + +From: Yoshihiro Shimoda + +commit 1aae1394294cb71c6aa0bc904a94a7f2f1e75936 upstream. + +The commit 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area") +had added a usbhsg_pipe_disable() calling into +__usbhsg_ep_set_halt_wedge() accidentally. But, this driver should +not call the usbhsg_pipe_disable() because the function discards +all queues. So, this patch removes it. + +Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area") +Cc: # v3.1+ +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1569924633-322-2-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/mod_gadget.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -723,8 +723,6 @@ static int __usbhsg_ep_set_halt_wedge(st + struct device *dev = usbhsg_gpriv_to_dev(gpriv); + unsigned long flags; + +- usbhsg_pipe_disable(uep); +- + dev_dbg(dev, "set halt %d (pipe %d)\n", + halt, usbhs_pipe_number(pipe)); + diff --git a/queue-5.3/usb-renesas_usbhs-gadget-fix-usb_ep_set_-halt-wedge-behavior.patch b/queue-5.3/usb-renesas_usbhs-gadget-fix-usb_ep_set_-halt-wedge-behavior.patch new file mode 100644 index 00000000000..6a38d1ca743 --- /dev/null +++ b/queue-5.3/usb-renesas_usbhs-gadget-fix-usb_ep_set_-halt-wedge-behavior.patch @@ -0,0 +1,137 @@ +From 4d599cd3a097a85a5c68a2c82b9a48cddf9953ec Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 1 Oct 2019 19:10:33 +0900 +Subject: usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior + +From: Yoshihiro Shimoda + +commit 4d599cd3a097a85a5c68a2c82b9a48cddf9953ec upstream. + +According to usb_ep_set_halt()'s description, +__usbhsg_ep_set_halt_wedge() should return -EAGAIN if the IN endpoint +has any queue or data. Otherwise, this driver is possible to cause +just STALL without sending a short packet data on g_mass_storage driver, +and then a few resetting a device happens on a host side during +a usb enumaration. + +Fixes: 2f98382dcdfe ("usb: renesas_usbhs: Add Renesas USBHS Gadget") +Cc: # v3.0+ +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1569924633-322-3-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/common.h | 1 + + drivers/usb/renesas_usbhs/fifo.c | 2 +- + drivers/usb/renesas_usbhs/fifo.h | 1 + + drivers/usb/renesas_usbhs/mod_gadget.c | 16 +++++++++++++++- + drivers/usb/renesas_usbhs/pipe.c | 15 +++++++++++++++ + drivers/usb/renesas_usbhs/pipe.h | 1 + + 6 files changed, 34 insertions(+), 2 deletions(-) + +--- a/drivers/usb/renesas_usbhs/common.h ++++ b/drivers/usb/renesas_usbhs/common.h +@@ -211,6 +211,7 @@ struct usbhs_priv; + /* DCPCTR */ + #define BSTS (1 << 15) /* Buffer Status */ + #define SUREQ (1 << 14) /* Sending SETUP Token */ ++#define INBUFM (1 << 14) /* (PIPEnCTR) Transfer Buffer Monitor */ + #define CSSTS (1 << 12) /* CSSTS Status */ + #define ACLRM (1 << 9) /* Buffer Auto-Clear Mode */ + #define SQCLR (1 << 8) /* Toggle Bit Clear */ +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -89,7 +89,7 @@ static void __usbhsf_pkt_del(struct usbh + list_del_init(&pkt->node); + } + +-static struct usbhs_pkt *__usbhsf_pkt_get(struct usbhs_pipe *pipe) ++struct usbhs_pkt *__usbhsf_pkt_get(struct usbhs_pipe *pipe) + { + return list_first_entry_or_null(&pipe->list, struct usbhs_pkt, node); + } +--- a/drivers/usb/renesas_usbhs/fifo.h ++++ b/drivers/usb/renesas_usbhs/fifo.h +@@ -97,5 +97,6 @@ void usbhs_pkt_push(struct usbhs_pipe *p + void *buf, int len, int zero, int sequence); + struct usbhs_pkt *usbhs_pkt_pop(struct usbhs_pipe *pipe, struct usbhs_pkt *pkt); + void usbhs_pkt_start(struct usbhs_pipe *pipe); ++struct usbhs_pkt *__usbhsf_pkt_get(struct usbhs_pipe *pipe); + + #endif /* RENESAS_USB_FIFO_H */ +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -722,6 +722,7 @@ static int __usbhsg_ep_set_halt_wedge(st + struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv); + struct device *dev = usbhsg_gpriv_to_dev(gpriv); + unsigned long flags; ++ int ret = 0; + + dev_dbg(dev, "set halt %d (pipe %d)\n", + halt, usbhs_pipe_number(pipe)); +@@ -729,6 +730,18 @@ static int __usbhsg_ep_set_halt_wedge(st + /******************** spin lock ********************/ + usbhs_lock(priv, flags); + ++ /* ++ * According to usb_ep_set_halt()'s description, this function should ++ * return -EAGAIN if the IN endpoint has any queue or data. Note ++ * that the usbhs_pipe_is_dir_in() returns false if the pipe is an ++ * IN endpoint in the gadget mode. ++ */ ++ if (!usbhs_pipe_is_dir_in(pipe) && (__usbhsf_pkt_get(pipe) || ++ usbhs_pipe_contains_transmittable_data(pipe))) { ++ ret = -EAGAIN; ++ goto out; ++ } ++ + if (halt) + usbhs_pipe_stall(pipe); + else +@@ -739,10 +752,11 @@ static int __usbhsg_ep_set_halt_wedge(st + else + usbhsg_status_clr(gpriv, USBHSG_STATUS_WEDGE); + ++out: + usbhs_unlock(priv, flags); + /******************** spin unlock ******************/ + +- return 0; ++ return ret; + } + + static int usbhsg_ep_set_halt(struct usb_ep *ep, int value) +--- a/drivers/usb/renesas_usbhs/pipe.c ++++ b/drivers/usb/renesas_usbhs/pipe.c +@@ -277,6 +277,21 @@ int usbhs_pipe_is_accessible(struct usbh + return -EBUSY; + } + ++bool usbhs_pipe_contains_transmittable_data(struct usbhs_pipe *pipe) ++{ ++ u16 val; ++ ++ /* Do not support for DCP pipe */ ++ if (usbhs_pipe_is_dcp(pipe)) ++ return false; ++ ++ val = usbhsp_pipectrl_get(pipe); ++ if (val & INBUFM) ++ return true; ++ ++ return false; ++} ++ + /* + * PID ctrl + */ +--- a/drivers/usb/renesas_usbhs/pipe.h ++++ b/drivers/usb/renesas_usbhs/pipe.h +@@ -83,6 +83,7 @@ void usbhs_pipe_clear(struct usbhs_pipe + void usbhs_pipe_clear_without_sequence(struct usbhs_pipe *pipe, + int needs_bfre, int bfre_enable); + int usbhs_pipe_is_accessible(struct usbhs_pipe *pipe); ++bool usbhs_pipe_contains_transmittable_data(struct usbhs_pipe *pipe); + void usbhs_pipe_enable(struct usbhs_pipe *pipe); + void usbhs_pipe_disable(struct usbhs_pipe *pipe); + void usbhs_pipe_stall(struct usbhs_pipe *pipe); diff --git a/queue-5.3/usb-serial-fix-runtime-pm-after-driver-unbind.patch b/queue-5.3/usb-serial-fix-runtime-pm-after-driver-unbind.patch new file mode 100644 index 00000000000..119310d3b33 --- /dev/null +++ b/queue-5.3/usb-serial-fix-runtime-pm-after-driver-unbind.patch @@ -0,0 +1,41 @@ +From d51bdb93ca7e71d7fb30a572c7b47ed0194bf3fe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Oct 2019 10:49:07 +0200 +Subject: USB: serial: fix runtime PM after driver unbind + +From: Johan Hovold + +commit d51bdb93ca7e71d7fb30a572c7b47ed0194bf3fe upstream. + +Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate +interface PM usage counter") USB drivers must always balance their +runtime PM gets and puts, including when the driver has already been +unbound from the interface. + +Leaving the interface with a positive PM usage counter would prevent a +later bound driver from suspending the device. + +Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191001084908.2003-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -314,10 +314,7 @@ static void serial_cleanup(struct tty_st + serial = port->serial; + owner = serial->type->driver.owner; + +- mutex_lock(&serial->disc_mutex); +- if (!serial->disconnected) +- usb_autopm_put_interface(serial->interface); +- mutex_unlock(&serial->disc_mutex); ++ usb_autopm_put_interface(serial->interface); + + usb_serial_put(serial); + module_put(owner); diff --git a/queue-5.3/usb-serial-ftdi_sio-add-device-ids-for-sienna-and-echelon-pl-20.patch b/queue-5.3/usb-serial-ftdi_sio-add-device-ids-for-sienna-and-echelon-pl-20.patch new file mode 100644 index 00000000000..3705db568c9 --- /dev/null +++ b/queue-5.3/usb-serial-ftdi_sio-add-device-ids-for-sienna-and-echelon-pl-20.patch @@ -0,0 +1,65 @@ +From 357f16d9e0194cdbc36531ff88b453481560b76a Mon Sep 17 00:00:00 2001 +From: Beni Mahler +Date: Thu, 5 Sep 2019 00:26:20 +0200 +Subject: USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 + +From: Beni Mahler + +commit 357f16d9e0194cdbc36531ff88b453481560b76a upstream. + +Both devices added here have a FTDI chip inside. The device from Echelon +is called 'Network Interface' it is actually a LON network gateway. + + ID 0403:8348 Future Technology Devices International, Ltd + https://www.eltako.com/fileadmin/downloads/de/datenblatt/Datenblatt_PL-SW-PROF.pdf + + ID 0920:7500 Network Interface + https://www.echelon.com/products/u20-usb-network-interface + +Signed-off-by: Beni Mahler +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 3 +++ + drivers/usb/serial/ftdi_sio_ids.h | 9 +++++++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1030,6 +1030,9 @@ static const struct usb_device_id id_tab + /* EZPrototypes devices */ + { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, + { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) }, ++ /* Sienna devices */ ++ { USB_DEVICE(FTDI_VID, FTDI_SIENNA_PID) }, ++ { USB_DEVICE(ECHELON_VID, ECHELON_U20_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -39,6 +39,9 @@ + + #define FTDI_LUMEL_PD12_PID 0x6002 + ++/* Sienna Serial Interface by Secyourit GmbH */ ++#define FTDI_SIENNA_PID 0x8348 ++ + /* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */ + #define CYBER_CORTEX_AV_PID 0x8698 + +@@ -689,6 +692,12 @@ + #define BANDB_ZZ_PROG1_USB_PID 0xBA02 + + /* ++ * Echelon USB Serial Interface ++ */ ++#define ECHELON_VID 0x0920 ++#define ECHELON_U20_PID 0x7500 ++ ++/* + * Intrepid Control Systems (http://www.intrepidcs.com/) ValueCAN and NeoVI + */ + #define INTREPID_VID 0x093C diff --git a/queue-5.3/usb-serial-keyspan-fix-null-derefs-on-open-and-write.patch b/queue-5.3/usb-serial-keyspan-fix-null-derefs-on-open-and-write.patch new file mode 100644 index 00000000000..13499b806f3 --- /dev/null +++ b/queue-5.3/usb-serial-keyspan-fix-null-derefs-on-open-and-write.patch @@ -0,0 +1,74 @@ +From 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 3 Oct 2019 15:49:58 +0200 +Subject: USB: serial: keyspan: fix NULL-derefs on open() and write() + +From: Johan Hovold + +commit 7d7e21fafdbc7fcf0854b877bd0975b487ed2717 upstream. + +Fix NULL-pointer dereferences on open() and write() which can be +triggered by a malicious USB device. + +The current URB allocation helper would fail to initialise the newly +allocated URB if the device has unexpected endpoint descriptors, +something which could lead NULL-pointer dereferences in a number of +open() and write() paths when accessing the URB. For example: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + RIP: 0010:usb_clear_halt+0x11/0xc0 + ... + Call Trace: + ? tty_port_open+0x4d/0xd0 + keyspan_open+0x70/0x160 [keyspan] + serial_port_activate+0x5b/0x80 [usbserial] + tty_port_open+0x7b/0xd0 + ? check_tty_count+0x43/0xa0 + tty_open+0xf1/0x490 + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + RIP: 0010:keyspan_write+0x14e/0x1f3 [keyspan] + ... + Call Trace: + serial_write+0x43/0xa0 [usbserial] + n_tty_write+0x1af/0x4f0 + ? do_wait_intr_irq+0x80/0x80 + ? process_echoes+0x60/0x60 + tty_write+0x13f/0x2f0 + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + RIP: 0010:keyspan_usa26_send_setup+0x298/0x305 [keyspan] + ... + Call Trace: + keyspan_open+0x10f/0x160 [keyspan] + serial_port_activate+0x5b/0x80 [usbserial] + tty_port_open+0x7b/0xd0 + ? check_tty_count+0x43/0xa0 + tty_open+0xf1/0x490 + +Fixes: fdcba53e2d58 ("fix for bugzilla #7544 (keyspan USB-to-serial converter)") +Cc: stable # 2.6.21 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -1741,8 +1741,8 @@ static struct urb *keyspan_setup_urb(str + + ep_desc = find_ep(serial, endpoint); + if (!ep_desc) { +- /* leak the urb, something's wrong and the callers don't care */ +- return urb; ++ usb_free_urb(urb); ++ return NULL; + } + if (usb_endpoint_xfer_int(ep_desc)) { + ep_type_name = "INT"; diff --git a/queue-5.3/usb-serial-option-add-support-for-cinterion-cls8-devices.patch b/queue-5.3/usb-serial-option-add-support-for-cinterion-cls8-devices.patch new file mode 100644 index 00000000000..ef7fb1200ce --- /dev/null +++ b/queue-5.3/usb-serial-option-add-support-for-cinterion-cls8-devices.patch @@ -0,0 +1,65 @@ +From dfbac2f4da6a0c4a8f6b4d715a4077a7b8df53ad Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Thu, 3 Oct 2019 18:53:21 +0200 +Subject: USB: serial: option: add support for Cinterion CLS8 devices + +From: Reinhard Speyerer + +commit dfbac2f4da6a0c4a8f6b4d715a4077a7b8df53ad upstream. + +Add support for the serial ports of Cinterion CLS8 devices. + +T: Bus=01 Lev=03 Prnt=05 Port=01 Cnt=02 Dev#= 25 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1e2d ProdID=00b0 Rev= 3.18 +S: Manufacturer=GEMALTO +S: Product=USB Modem +C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Reinhard Speyerer +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -419,6 +419,7 @@ static void option_instat_callback(struc + #define CINTERION_PRODUCT_PH8_AUDIO 0x0083 + #define CINTERION_PRODUCT_AHXX_2RMNET 0x0084 + #define CINTERION_PRODUCT_AHXX_AUDIO 0x0085 ++#define CINTERION_PRODUCT_CLS8 0x00b0 + + /* Olivetti products */ + #define OLIVETTI_VENDOR_ID 0x0b3c +@@ -1855,6 +1856,8 @@ static const struct usb_device_id option + .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_CLS8, 0xff), ++ .driver_info = RSVD(0) | RSVD(4) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, + { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) }, + { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) }, diff --git a/queue-5.3/usb-serial-option-add-telit-fn980-compositions.patch b/queue-5.3/usb-serial-option-add-telit-fn980-compositions.patch new file mode 100644 index 00000000000..0a2cb1223e7 --- /dev/null +++ b/queue-5.3/usb-serial-option-add-telit-fn980-compositions.patch @@ -0,0 +1,42 @@ +From 5eb3f4b87a0e7e949c976f32f296176a06d1a93b Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Mon, 23 Sep 2019 12:23:28 +0200 +Subject: USB: serial: option: add Telit FN980 compositions + +From: Daniele Palmas + +commit 5eb3f4b87a0e7e949c976f32f296176a06d1a93b upstream. + +This patch adds the following Telit FN980 compositions: + +0x1050: tty, adb, rmnet, tty, tty, tty, tty +0x1051: tty, adb, mbim, tty, tty, tty, tty +0x1052: rndis, tty, adb, tty, tty, tty, tty +0x1053: tty, adb, ecm, tty, tty, tty, tty + +Signed-off-by: Daniele Palmas +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1154,6 +1154,14 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), + .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1050, 0xff), /* Telit FN980 (rmnet) */ ++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1051, 0xff), /* Telit FN980 (MBIM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1052, 0xff), /* Telit FN980 (RNDIS) */ ++ .driver_info = NCTRL(2) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1053, 0xff), /* Telit FN980 (ECM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), diff --git a/queue-5.3/usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-in-tcpm_fw_get_caps.patch b/queue-5.3/usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-in-tcpm_fw_get_caps.patch new file mode 100644 index 00000000000..555090ca242 --- /dev/null +++ b/queue-5.3/usb-typec-tcpm-usb-typec-tcpm-fix-a-signedness-bug-in-tcpm_fw_get_caps.patch @@ -0,0 +1,54 @@ +From 7101949f36fc77b530b73e4c6bd0066a2740d75b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 1 Oct 2019 15:01:17 +0300 +Subject: usb: typec: tcpm: usb: typec: tcpm: Fix a signedness bug in tcpm_fw_get_caps() + +From: Dan Carpenter + +commit 7101949f36fc77b530b73e4c6bd0066a2740d75b upstream. + +The "port->typec_caps.data" and "port->typec_caps.type" variables are +enums and in this context GCC will treat them as an unsigned int so they +can never be less than zero. + +Fixes: ae8a2ca8a221 ("usb: typec: Group all TCPCI/TCPM code together") +Signed-off-by: Dan Carpenter +Cc: stable +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20191001120117.GA23528@mwanda +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tcpm/tcpm.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -4416,18 +4416,20 @@ static int tcpm_fw_get_caps(struct tcpm_ + /* USB data support is optional */ + ret = fwnode_property_read_string(fwnode, "data-role", &cap_str); + if (ret == 0) { +- port->typec_caps.data = typec_find_port_data_role(cap_str); +- if (port->typec_caps.data < 0) +- return -EINVAL; ++ ret = typec_find_port_data_role(cap_str); ++ if (ret < 0) ++ return ret; ++ port->typec_caps.data = ret; + } + + ret = fwnode_property_read_string(fwnode, "power-role", &cap_str); + if (ret < 0) + return ret; + +- port->typec_caps.type = typec_find_port_power_role(cap_str); +- if (port->typec_caps.type < 0) +- return -EINVAL; ++ ret = typec_find_port_power_role(cap_str); ++ if (ret < 0) ++ return ret; ++ port->typec_caps.type = ret; + port->port_type = port->typec_caps.type; + + if (port->port_type == TYPEC_PORT_SNK) diff --git a/queue-5.3/usb-typec-ucsi-ccg-remove-run_isr-flag.patch b/queue-5.3/usb-typec-ucsi-ccg-remove-run_isr-flag.patch new file mode 100644 index 00000000000..3b816ab92ca --- /dev/null +++ b/queue-5.3/usb-typec-ucsi-ccg-remove-run_isr-flag.patch @@ -0,0 +1,129 @@ +From 8530e4e20ec2355c273f4dba9002969e68275e5f Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Fri, 4 Oct 2019 13:02:18 +0300 +Subject: usb: typec: ucsi: ccg: Remove run_isr flag + +From: Heikki Krogerus + +commit 8530e4e20ec2355c273f4dba9002969e68275e5f upstream. + +The "run_isr" flag is used for preventing the driver from +calling the interrupt service routine in its runtime resume +callback when the driver is expecting completion to a +command, but what that basically does is that it hides the +real problem. The real problem is that the controller is +allowed to suspend in the middle of command execution. + +As a more appropriate fix for the problem, using autosuspend +delay time that matches UCSI_TIMEOUT_MS (5s). That prevents +the controller from suspending while still in the middle of +executing a command. + +This fixes a potential deadlock. Both ccg_read() and +ccg_write() are called with the mutex already taken at least +from ccg_send_command(). In ccg_read() and ccg_write, the +mutex is only acquired so that run_isr flag can be set. + +Fixes: f0e4cd948b91 ("usb: typec: ucsi: ccg: add runtime pm workaround") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20191004100219.71152-2-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 42 +++----------------------------------- + 1 file changed, 4 insertions(+), 38 deletions(-) + +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -195,7 +195,6 @@ struct ucsi_ccg { + + /* fw build with vendor information */ + u16 fw_build; +- bool run_isr; /* flag to call ISR routine during resume */ + struct work_struct pm_work; + }; + +@@ -224,18 +223,6 @@ static int ccg_read(struct ucsi_ccg *uc, + if (quirks && quirks->max_read_len) + max_read_len = quirks->max_read_len; + +- if (uc->fw_build == CCG_FW_BUILD_NVIDIA && +- uc->fw_version <= CCG_OLD_FW_VERSION) { +- mutex_lock(&uc->lock); +- /* +- * Do not schedule pm_work to run ISR in +- * ucsi_ccg_runtime_resume() after pm_runtime_get_sync() +- * since we are already in ISR path. +- */ +- uc->run_isr = false; +- mutex_unlock(&uc->lock); +- } +- + pm_runtime_get_sync(uc->dev); + while (rem_len > 0) { + msgs[1].buf = &data[len - rem_len]; +@@ -278,18 +265,6 @@ static int ccg_write(struct ucsi_ccg *uc + msgs[0].len = len + sizeof(rab); + msgs[0].buf = buf; + +- if (uc->fw_build == CCG_FW_BUILD_NVIDIA && +- uc->fw_version <= CCG_OLD_FW_VERSION) { +- mutex_lock(&uc->lock); +- /* +- * Do not schedule pm_work to run ISR in +- * ucsi_ccg_runtime_resume() after pm_runtime_get_sync() +- * since we are already in ISR path. +- */ +- uc->run_isr = false; +- mutex_unlock(&uc->lock); +- } +- + pm_runtime_get_sync(uc->dev); + status = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs)); + if (status < 0) { +@@ -1133,7 +1108,6 @@ static int ucsi_ccg_probe(struct i2c_cli + uc->ppm.sync = ucsi_ccg_sync; + uc->dev = dev; + uc->client = client; +- uc->run_isr = true; + mutex_init(&uc->lock); + INIT_WORK(&uc->work, ccg_update_firmware); + INIT_WORK(&uc->pm_work, ccg_pm_workaround_work); +@@ -1195,6 +1169,8 @@ static int ucsi_ccg_probe(struct i2c_cli + + pm_runtime_set_active(uc->dev); + pm_runtime_enable(uc->dev); ++ pm_runtime_use_autosuspend(uc->dev); ++ pm_runtime_set_autosuspend_delay(uc->dev, 5000); + pm_runtime_idle(uc->dev); + + return 0; +@@ -1237,7 +1213,6 @@ static int ucsi_ccg_runtime_resume(struc + { + struct i2c_client *client = to_i2c_client(dev); + struct ucsi_ccg *uc = i2c_get_clientdata(client); +- bool schedule = true; + + /* + * Firmware version 3.1.10 or earlier, built for NVIDIA has known issue +@@ -1245,17 +1220,8 @@ static int ucsi_ccg_runtime_resume(struc + * Schedule a work to call ISR as a workaround. + */ + if (uc->fw_build == CCG_FW_BUILD_NVIDIA && +- uc->fw_version <= CCG_OLD_FW_VERSION) { +- mutex_lock(&uc->lock); +- if (!uc->run_isr) { +- uc->run_isr = true; +- schedule = false; +- } +- mutex_unlock(&uc->lock); +- +- if (schedule) +- schedule_work(&uc->pm_work); +- } ++ uc->fw_version <= CCG_OLD_FW_VERSION) ++ schedule_work(&uc->pm_work); + + return 0; + } diff --git a/queue-5.3/usb-typec-ucsi-displayport-fix-for-the-mode-entering-routine.patch b/queue-5.3/usb-typec-ucsi-displayport-fix-for-the-mode-entering-routine.patch new file mode 100644 index 00000000000..57d2b8488db --- /dev/null +++ b/queue-5.3/usb-typec-ucsi-displayport-fix-for-the-mode-entering-routine.patch @@ -0,0 +1,36 @@ +From f2372b87c386871b16d7dbda680d98d4092ab708 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Fri, 4 Oct 2019 13:02:19 +0300 +Subject: usb: typec: ucsi: displayport: Fix for the mode entering routine + +From: Heikki Krogerus + +commit f2372b87c386871b16d7dbda680d98d4092ab708 upstream. + +Making sure that ucsi_displayport_enter() function does not +return an error if the displayport alternate mode has +already been entered. It's normal that the firmware (or +controller) has already entered the alternate mode by the +time the operating system is notified about the device. + +Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20191004100219.71152-3-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/ucsi/displayport.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/ucsi/displayport.c ++++ b/drivers/usb/typec/ucsi/displayport.c +@@ -75,6 +75,8 @@ static int ucsi_displayport_enter(struct + + if (cur != 0xff) { + mutex_unlock(&dp->con->lock); ++ if (dp->con->port_altmode[cur] == alt) ++ return 0; + return -EBUSY; + } + diff --git a/queue-5.3/usb-usb-skeleton-fix-null-deref-on-disconnect.patch b/queue-5.3/usb-usb-skeleton-fix-null-deref-on-disconnect.patch new file mode 100644 index 00000000000..6d7466407b2 --- /dev/null +++ b/queue-5.3/usb-usb-skeleton-fix-null-deref-on-disconnect.patch @@ -0,0 +1,70 @@ +From bed5ef230943863b9abf5eae226a20fad9a8ff71 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 9 Oct 2019 19:09:42 +0200 +Subject: USB: usb-skeleton: fix NULL-deref on disconnect + +From: Johan Hovold + +commit bed5ef230943863b9abf5eae226a20fad9a8ff71 upstream. + +The driver was using its struct usb_interface pointer as an inverted +disconnected flag and was setting it to NULL before making sure all +completion handlers had run. This could lead to NULL-pointer +dereferences in the dev_err() statements in the completion handlers +which relies on said pointer. + +Fix this by using a dedicated disconnected flag. + +Note that this is also addresses a NULL-pointer dereference at release() +and a struct usb_interface reference leak introduced by a recent runtime +PM fix, which depends on and should have been submitted together with +this patch. + +Fixes: 4212cd74ca6f ("USB: usb-skeleton.c: remove err() usage") +Fixes: 5c290a5e42c3 ("USB: usb-skeleton: fix runtime PM after driver unbind") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191009170944.30057-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usb-skeleton.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/usb-skeleton.c ++++ b/drivers/usb/usb-skeleton.c +@@ -59,6 +59,7 @@ struct usb_skel { + spinlock_t err_lock; /* lock for errors */ + struct kref kref; + struct mutex io_mutex; /* synchronize I/O with disconnect */ ++ unsigned long disconnected:1; + wait_queue_head_t bulk_in_wait; /* to wait for an ongoing read */ + }; + #define to_skel_dev(d) container_of(d, struct usb_skel, kref) +@@ -236,7 +237,7 @@ static ssize_t skel_read(struct file *fi + if (rv < 0) + return rv; + +- if (!dev->interface) { /* disconnect() was called */ ++ if (dev->disconnected) { /* disconnect() was called */ + rv = -ENODEV; + goto exit; + } +@@ -418,7 +419,7 @@ static ssize_t skel_write(struct file *f + + /* this lock makes sure we don't submit URBs to gone devices */ + mutex_lock(&dev->io_mutex); +- if (!dev->interface) { /* disconnect() was called */ ++ if (dev->disconnected) { /* disconnect() was called */ + mutex_unlock(&dev->io_mutex); + retval = -ENODEV; + goto error; +@@ -569,7 +570,7 @@ static void skel_disconnect(struct usb_i + + /* prevent more I/O from starting */ + mutex_lock(&dev->io_mutex); +- dev->interface = NULL; ++ dev->disconnected = 1; + mutex_unlock(&dev->io_mutex); + + usb_kill_anchored_urbs(&dev->submitted); diff --git a/queue-5.3/usb-usb-skeleton-fix-runtime-pm-after-driver-unbind.patch b/queue-5.3/usb-usb-skeleton-fix-runtime-pm-after-driver-unbind.patch new file mode 100644 index 00000000000..d5477e5d481 --- /dev/null +++ b/queue-5.3/usb-usb-skeleton-fix-runtime-pm-after-driver-unbind.patch @@ -0,0 +1,58 @@ +From 5c290a5e42c3387e82de86965784d30e6c5270fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Oct 2019 10:49:05 +0200 +Subject: USB: usb-skeleton: fix runtime PM after driver unbind + +From: Johan Hovold + +commit 5c290a5e42c3387e82de86965784d30e6c5270fd upstream. + +Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate +interface PM usage counter") USB drivers must always balance their +runtime PM gets and puts, including when the driver has already been +unbound from the interface. + +Leaving the interface with a positive PM usage counter would prevent a +later bound driver from suspending the device. + +Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191001084908.2003-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usb-skeleton.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/usb-skeleton.c ++++ b/drivers/usb/usb-skeleton.c +@@ -71,6 +71,7 @@ static void skel_delete(struct kref *kre + struct usb_skel *dev = to_skel_dev(kref); + + usb_free_urb(dev->bulk_in_urb); ++ usb_put_intf(dev->interface); + usb_put_dev(dev->udev); + kfree(dev->bulk_in_buffer); + kfree(dev); +@@ -122,10 +123,7 @@ static int skel_release(struct inode *in + return -ENODEV; + + /* allow the device to be autosuspended */ +- mutex_lock(&dev->io_mutex); +- if (dev->interface) +- usb_autopm_put_interface(dev->interface); +- mutex_unlock(&dev->io_mutex); ++ usb_autopm_put_interface(dev->interface); + + /* decrement the count on our device */ + kref_put(&dev->kref, skel_delete); +@@ -505,7 +503,7 @@ static int skel_probe(struct usb_interfa + init_waitqueue_head(&dev->bulk_in_wait); + + dev->udev = usb_get_dev(interface_to_usbdev(interface)); +- dev->interface = interface; ++ dev->interface = usb_get_intf(interface); + + /* set up the endpoint information */ + /* use only the first bulk-in and bulk-out endpoints */ diff --git a/queue-5.3/usb-usblcd-fix-i-o-after-disconnect.patch b/queue-5.3/usb-usblcd-fix-i-o-after-disconnect.patch new file mode 100644 index 00000000000..08b2981663b --- /dev/null +++ b/queue-5.3/usb-usblcd-fix-i-o-after-disconnect.patch @@ -0,0 +1,128 @@ +From eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 26 Sep 2019 11:12:25 +0200 +Subject: USB: usblcd: fix I/O after disconnect + +From: Johan Hovold + +commit eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 upstream. + +Make sure to stop all I/O on disconnect by adding a disconnected flag +which is used to prevent new I/O from being started and by stopping all +ongoing I/O before returning. + +This also fixes a potential use-after-free on driver unbind in case the +driver data is freed before the completion handler has run. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable # 7bbe990c989e +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20190926091228.24634-7-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/usblcd.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +--- a/drivers/usb/misc/usblcd.c ++++ b/drivers/usb/misc/usblcd.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -57,6 +58,8 @@ struct usb_lcd { + using up all RAM */ + struct usb_anchor submitted; /* URBs to wait for + before suspend */ ++ struct rw_semaphore io_rwsem; ++ unsigned long disconnected:1; + }; + #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref) + +@@ -142,6 +145,13 @@ static ssize_t lcd_read(struct file *fil + + dev = file->private_data; + ++ down_read(&dev->io_rwsem); ++ ++ if (dev->disconnected) { ++ retval = -ENODEV; ++ goto out_up_io; ++ } ++ + /* do a blocking bulk read to get data from the device */ + retval = usb_bulk_msg(dev->udev, + usb_rcvbulkpipe(dev->udev, +@@ -158,6 +168,9 @@ static ssize_t lcd_read(struct file *fil + retval = bytes_read; + } + ++out_up_io: ++ up_read(&dev->io_rwsem); ++ + return retval; + } + +@@ -237,11 +250,18 @@ static ssize_t lcd_write(struct file *fi + if (r < 0) + return -EINTR; + ++ down_read(&dev->io_rwsem); ++ ++ if (dev->disconnected) { ++ retval = -ENODEV; ++ goto err_up_io; ++ } ++ + /* create a urb, and a buffer for it, and copy the data to the urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (!urb) { + retval = -ENOMEM; +- goto err_no_buf; ++ goto err_up_io; + } + + buf = usb_alloc_coherent(dev->udev, count, GFP_KERNEL, +@@ -278,6 +298,7 @@ static ssize_t lcd_write(struct file *fi + the USB core will eventually free it entirely */ + usb_free_urb(urb); + ++ up_read(&dev->io_rwsem); + exit: + return count; + error_unanchor: +@@ -285,7 +306,8 @@ error_unanchor: + error: + usb_free_coherent(dev->udev, count, buf, urb->transfer_dma); + usb_free_urb(urb); +-err_no_buf: ++err_up_io: ++ up_read(&dev->io_rwsem); + up(&dev->limit_sem); + return retval; + } +@@ -325,6 +347,7 @@ static int lcd_probe(struct usb_interfac + + kref_init(&dev->kref); + sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES); ++ init_rwsem(&dev->io_rwsem); + init_usb_anchor(&dev->submitted); + + dev->udev = usb_get_dev(interface_to_usbdev(interface)); +@@ -422,6 +445,12 @@ static void lcd_disconnect(struct usb_in + /* give back our minor */ + usb_deregister_dev(interface, &lcd_class); + ++ down_write(&dev->io_rwsem); ++ dev->disconnected = 1; ++ up_write(&dev->io_rwsem); ++ ++ usb_kill_anchored_urbs(&dev->submitted); ++ + /* decrement our usage count */ + kref_put(&dev->kref, lcd_delete); + diff --git a/queue-5.3/usb-usblp-fix-runtime-pm-after-driver-unbind.patch b/queue-5.3/usb-usblp-fix-runtime-pm-after-driver-unbind.patch new file mode 100644 index 00000000000..8bd1cbbf5bd --- /dev/null +++ b/queue-5.3/usb-usblp-fix-runtime-pm-after-driver-unbind.patch @@ -0,0 +1,45 @@ +From 9a31535859bfd8d1c3ed391f5e9247cd87bb7909 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Oct 2019 10:49:06 +0200 +Subject: USB: usblp: fix runtime PM after driver unbind + +From: Johan Hovold + +commit 9a31535859bfd8d1c3ed391f5e9247cd87bb7909 upstream. + +Since commit c2b71462d294 ("USB: core: Fix bug caused by duplicate +interface PM usage counter") USB drivers must always balance their +runtime PM gets and puts, including when the driver has already been +unbound from the interface. + +Leaving the interface with a positive PM usage counter would prevent a +later bound driver from suspending the device. + +Fixes: c2b71462d294 ("USB: core: Fix bug caused by duplicate interface PM usage counter") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191001084908.2003-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usblp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -461,10 +461,12 @@ static int usblp_release(struct inode *i + + mutex_lock(&usblp_mutex); + usblp->used = 0; +- if (usblp->present) { ++ if (usblp->present) + usblp_unlink_urbs(usblp); +- usb_autopm_put_interface(usblp->intf); +- } else /* finish cleanup from disconnect */ ++ ++ usb_autopm_put_interface(usblp->intf); ++ ++ if (!usblp->present) /* finish cleanup from disconnect */ + usblp_cleanup(usblp); + mutex_unlock(&usblp_mutex); + return 0; diff --git a/queue-5.3/usb-xhci-wait-for-cnr-controller-not-ready-bit-in-xhci-resume.patch b/queue-5.3/usb-xhci-wait-for-cnr-controller-not-ready-bit-in-xhci-resume.patch new file mode 100644 index 00000000000..beaa171a63c --- /dev/null +++ b/queue-5.3/usb-xhci-wait-for-cnr-controller-not-ready-bit-in-xhci-resume.patch @@ -0,0 +1,45 @@ +From a70bcbc322837eda1ab5994d12db941dc9733a7d Mon Sep 17 00:00:00 2001 +From: Rick Tseng +Date: Fri, 4 Oct 2019 14:59:30 +0300 +Subject: usb: xhci: wait for CNR controller not ready bit in xhci resume + +From: Rick Tseng + +commit a70bcbc322837eda1ab5994d12db941dc9733a7d upstream. + +NVIDIA 3.1 xHCI card would lose power when moving power state into D3Cold. +Thus we need to wait for CNR bit to clear in xhci resume, just as in +xhci init. + +[Minor changes to comment and commit message -Mathias] +Cc: +Signed-off-by: Rick Tseng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-6-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1108,6 +1108,18 @@ int xhci_resume(struct xhci_hcd *xhci, b + hibernated = true; + + if (!hibernated) { ++ /* ++ * Some controllers might lose power during suspend, so wait ++ * for controller not ready bit to clear, just as in xHC init. ++ */ ++ retval = xhci_handshake(&xhci->op_regs->status, ++ STS_CNR, 0, 10 * 1000 * 1000); ++ if (retval) { ++ xhci_warn(xhci, "Controller not ready at resume %d\n", ++ retval); ++ spin_unlock_irq(&xhci->lock); ++ return retval; ++ } + /* step 1: restore register */ + xhci_restore_registers(xhci); + /* step 2: initialize command ring buffer */ diff --git a/queue-5.3/xhci-check-all-endpoints-for-lpm-timeout.patch b/queue-5.3/xhci-check-all-endpoints-for-lpm-timeout.patch new file mode 100644 index 00000000000..f113411ba39 --- /dev/null +++ b/queue-5.3/xhci-check-all-endpoints-for-lpm-timeout.patch @@ -0,0 +1,46 @@ +From d500c63f80f2ea08ee300e57da5f2af1c13875f5 Mon Sep 17 00:00:00 2001 +From: Jan Schmidt +Date: Fri, 4 Oct 2019 14:59:28 +0300 +Subject: xhci: Check all endpoints for LPM timeout + +From: Jan Schmidt + +commit d500c63f80f2ea08ee300e57da5f2af1c13875f5 upstream. + +If an endpoint is encountered that returns USB3_LPM_DEVICE_INITIATED, keep +checking further endpoints, as there might be periodic endpoints later +that return USB3_LPM_DISABLED due to shorter service intervals. + +Without this, the code can set too high a maximum-exit-latency and +prevent the use of multiple USB3 cameras that should be able to work. + +Cc: +Signed-off-by: Jan Schmidt +Tested-by: Philipp Zabel +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-4-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4673,12 +4673,12 @@ static int xhci_update_timeout_for_endpo + alt_timeout = xhci_call_host_update_timeout_for_endpoint(xhci, udev, + desc, state, timeout); + +- /* If we found we can't enable hub-initiated LPM, or ++ /* If we found we can't enable hub-initiated LPM, and + * the U1 or U2 exit latency was too high to allow +- * device-initiated LPM as well, just stop searching. ++ * device-initiated LPM as well, then we will disable LPM ++ * for this device, so stop searching any further. + */ +- if (alt_timeout == USB3_LPM_DISABLED || +- alt_timeout == USB3_LPM_DEVICE_INITIATED) { ++ if (alt_timeout == USB3_LPM_DISABLED) { + *timeout = alt_timeout; + return -E2BIG; + } diff --git a/queue-5.3/xhci-fix-false-warning-message-about-wrong-bounce-buffer-write-length.patch b/queue-5.3/xhci-fix-false-warning-message-about-wrong-bounce-buffer-write-length.patch new file mode 100644 index 00000000000..2403df835d5 --- /dev/null +++ b/queue-5.3/xhci-fix-false-warning-message-about-wrong-bounce-buffer-write-length.patch @@ -0,0 +1,44 @@ +From c03101ff4f74bb30679c1a03d551ecbef1024bf6 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 4 Oct 2019 14:59:26 +0300 +Subject: xhci: Fix false warning message about wrong bounce buffer write length + +From: Mathias Nyman + +commit c03101ff4f74bb30679c1a03d551ecbef1024bf6 upstream. + +The check printing out the "WARN Wrong bounce buffer write length:" +uses incorrect values when comparing bytes written from scatterlist +to bounce buffer. Actual copied lengths are fine. + +The used seg->bounce_len will be set to equal new_buf_len a few lines later +in the code, but is incorrect when doing the comparison. + +The patch which added this false warning was backported to 4.8+ kernels +so this should be backported as far as well. + +Cc: # v4.8+ +Fixes: 597c56e372da ("xhci: update bounce buffer with correct sg num") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-2-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3202,10 +3202,10 @@ static int xhci_align_td(struct xhci_hcd + if (usb_urb_dir_out(urb)) { + len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs, + seg->bounce_buf, new_buff_len, enqd_len); +- if (len != seg->bounce_len) ++ if (len != new_buff_len) + xhci_warn(xhci, + "WARN Wrong bounce buffer write length: %zu != %d\n", +- len, seg->bounce_len); ++ len, new_buff_len); + seg->bounce_dma = dma_map_single(dev, seg->bounce_buf, + max_pkt, DMA_TO_DEVICE); + } else { diff --git a/queue-5.3/xhci-fix-null-pointer-dereference-in-xhci_clear_tt_buffer_complete.patch b/queue-5.3/xhci-fix-null-pointer-dereference-in-xhci_clear_tt_buffer_complete.patch new file mode 100644 index 00000000000..26634e90b56 --- /dev/null +++ b/queue-5.3/xhci-fix-null-pointer-dereference-in-xhci_clear_tt_buffer_complete.patch @@ -0,0 +1,46 @@ +From cfbb8a84c2d2ef49bccacb511002bca4f6053555 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 4 Oct 2019 14:59:33 +0300 +Subject: xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete() + +From: Mathias Nyman + +commit cfbb8a84c2d2ef49bccacb511002bca4f6053555 upstream. + +udev stored in ep->hcpriv might be NULL if tt buffer is cleared +due to a halted control endpoint during device enumeration + +xhci_clear_tt_buffer_complete is called by hub_tt_work() once it's +scheduled, and by then usb core might have freed and allocated a +new udev for the next enumeration attempt. + +Fixes: ef513be0a905 ("usb: xhci: Add Clear_TT_Buffer") +Cc: # v5.3 +Reported-by: Johan Hovold +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-9-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -5237,8 +5237,16 @@ static void xhci_clear_tt_buffer_complet + unsigned int ep_index; + unsigned long flags; + ++ /* ++ * udev might be NULL if tt buffer is cleared during a failed device ++ * enumeration due to a halted control endpoint. Usb core might ++ * have allocated a new udev for the next enumeration attempt. ++ */ ++ + xhci = hcd_to_xhci(hcd); + udev = (struct usb_device *)ep->hcpriv; ++ if (!udev) ++ return; + slot_id = udev->slot_id; + ep_index = xhci_get_endpoint_index(&ep->desc); + diff --git a/queue-5.3/xhci-fix-usb-3.1-capability-detection-on-early-xhci-1.1-spec-based-hosts.patch b/queue-5.3/xhci-fix-usb-3.1-capability-detection-on-early-xhci-1.1-spec-based-hosts.patch new file mode 100644 index 00000000000..fb708882e4b --- /dev/null +++ b/queue-5.3/xhci-fix-usb-3.1-capability-detection-on-early-xhci-1.1-spec-based-hosts.patch @@ -0,0 +1,58 @@ +From 47f50d61076523e1a0d5a070062c2311320eeca8 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 4 Oct 2019 14:59:29 +0300 +Subject: xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Nyman + +commit 47f50d61076523e1a0d5a070062c2311320eeca8 upstream. + +Early xHCI 1.1 spec did not mention USB 3.1 capable hosts should set +sbrn to 0x31, or that the minor revision is a two digit BCD +containing minor and sub-minor numbers. +This was later clarified in xHCI 1.2. + +Some USB 3.1 capable hosts therefore have sbrn set to 0x30, or minor +revision set to 0x1 instead of 0x10. + +Detect the USB 3.1 capability correctly for these hosts as well + +Fixes: ddd57980a0fd ("xhci: detect USB 3.2 capable host controllers correctly") +Cc: # v4.18+ +Cc: Loïc Yhuel +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-5-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -5078,11 +5078,18 @@ int xhci_gen_setup(struct usb_hcd *hcd, + hcd->has_tt = 1; + } else { + /* +- * Some 3.1 hosts return sbrn 0x30, use xhci supported protocol +- * minor revision instead of sbrn. Minor revision is a two digit +- * BCD containing minor and sub-minor numbers, only show minor. ++ * Early xHCI 1.1 spec did not mention USB 3.1 capable hosts ++ * should return 0x31 for sbrn, or that the minor revision ++ * is a two digit BCD containig minor and sub-minor numbers. ++ * This was later clarified in xHCI 1.2. ++ * ++ * Some USB 3.1 capable hosts therefore have sbrn 0x30, and ++ * minor revision set to 0x1 instead of 0x10. + */ +- minor_rev = xhci->usb3_rhub.min_rev / 0x10; ++ if (xhci->usb3_rhub.min_rev == 0x1) ++ minor_rev = 1; ++ else ++ minor_rev = xhci->usb3_rhub.min_rev / 0x10; + + switch (minor_rev) { + case 2: diff --git a/queue-5.3/xhci-increase-sts_save-timeout-in-xhci_suspend.patch b/queue-5.3/xhci-increase-sts_save-timeout-in-xhci_suspend.patch new file mode 100644 index 00000000000..2f60c92d912 --- /dev/null +++ b/queue-5.3/xhci-increase-sts_save-timeout-in-xhci_suspend.patch @@ -0,0 +1,41 @@ +From ac343366846a445bb81f0a0e8f16abb8bd5d5d88 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 4 Oct 2019 14:59:32 +0300 +Subject: xhci: Increase STS_SAVE timeout in xhci_suspend() + +From: Kai-Heng Feng + +commit ac343366846a445bb81f0a0e8f16abb8bd5d5d88 upstream. + +After commit f7fac17ca925 ("xhci: Convert xhci_handshake() to use +readl_poll_timeout_atomic()"), ASMedia xHCI may fail to suspend. + +Although the algorithms are essentially the same, the old max timeout is +(usec + usec * time of doing readl()), and the new max timeout is just +usec, which is much less than the old one. + +Increase the timeout to make ASMedia xHCI able to suspend again. + +BugLink: https://bugs.launchpad.net/bugs/1844021 +Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()") +Cc: # v5.2+ +Signed-off-by: Kai-Heng Feng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-8-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1032,7 +1032,7 @@ int xhci_suspend(struct xhci_hcd *xhci, + writel(command, &xhci->op_regs->command); + xhci->broken_suspend = 0; + if (xhci_handshake(&xhci->op_regs->status, +- STS_SAVE, 0, 10 * 1000)) { ++ STS_SAVE, 0, 20 * 1000)) { + /* + * AMD SNPS xHC 3.0 occasionally does not clear the + * SSS bit of USBSTS and when driver tries to poll diff --git a/queue-5.3/xhci-prevent-deadlock-when-xhci-adapter-breaks-during-init.patch b/queue-5.3/xhci-prevent-deadlock-when-xhci-adapter-breaks-during-init.patch new file mode 100644 index 00000000000..7a1c5848785 --- /dev/null +++ b/queue-5.3/xhci-prevent-deadlock-when-xhci-adapter-breaks-during-init.patch @@ -0,0 +1,92 @@ +From 8de66b0e6a56ff10dd00d2b0f2ae52e300178587 Mon Sep 17 00:00:00 2001 +From: Bill Kuzeja +Date: Fri, 4 Oct 2019 14:59:31 +0300 +Subject: xhci: Prevent deadlock when xhci adapter breaks during init + +From: Bill Kuzeja + +commit 8de66b0e6a56ff10dd00d2b0f2ae52e300178587 upstream. + +The system can hit a deadlock if an xhci adapter breaks while initializing. +The deadlock is between two threads: thread 1 is tearing down the +adapter and is stuck in usb_unlocked_disable_lpm waiting to lock the +hcd->handwidth_mutex. Thread 2 is holding this mutex (while still trying +to add a usb device), but is stuck in xhci_endpoint_reset waiting for a +stop or config command to complete. A reboot is required to resolve. + +It turns out when calling xhci_queue_stop_endpoint and +xhci_queue_configure_endpoint in xhci_endpoint_reset, the return code is +not checked for errors. If the timing is right and the adapter dies just +before either of these commands get issued, we hang indefinitely waiting +for a completion on a command that didn't get issued. + +This wasn't a problem before the following fix because we didn't send +commands in xhci_endpoint_reset: + +commit f5249461b504 ("xhci: Clear the host side toggle manually when + endpoint is soft reset") + +With the patch I am submitting, a duration test which breaks adapters +during initialization (and which deadlocks with the standard kernel) runs +without issue. + +Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset") +Cc: # v4.17+ +Cc: Torez Smith +Signed-off-by: Bill Kuzeja +Signed-off-by: Torez Smith +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-7-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3095,6 +3095,7 @@ static void xhci_endpoint_reset(struct u + unsigned int ep_index; + unsigned long flags; + u32 ep_flag; ++ int err; + + xhci = hcd_to_xhci(hcd); + if (!host_ep->hcpriv) +@@ -3154,7 +3155,17 @@ static void xhci_endpoint_reset(struct u + xhci_free_command(xhci, cfg_cmd); + goto cleanup; + } +- xhci_queue_stop_endpoint(xhci, stop_cmd, udev->slot_id, ep_index, 0); ++ ++ err = xhci_queue_stop_endpoint(xhci, stop_cmd, udev->slot_id, ++ ep_index, 0); ++ if (err < 0) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ xhci_free_command(xhci, cfg_cmd); ++ xhci_dbg(xhci, "%s: Failed to queue stop ep command, %d ", ++ __func__, err); ++ goto cleanup; ++ } ++ + xhci_ring_cmd_db(xhci); + spin_unlock_irqrestore(&xhci->lock, flags); + +@@ -3168,8 +3179,16 @@ static void xhci_endpoint_reset(struct u + ctrl_ctx, ep_flag, ep_flag); + xhci_endpoint_copy(xhci, cfg_cmd->in_ctx, vdev->out_ctx, ep_index); + +- xhci_queue_configure_endpoint(xhci, cfg_cmd, cfg_cmd->in_ctx->dma, ++ err = xhci_queue_configure_endpoint(xhci, cfg_cmd, cfg_cmd->in_ctx->dma, + udev->slot_id, false); ++ if (err < 0) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ xhci_free_command(xhci, cfg_cmd); ++ xhci_dbg(xhci, "%s: Failed to queue config ep command, %d ", ++ __func__, err); ++ goto cleanup; ++ } ++ + xhci_ring_cmd_db(xhci); + spin_unlock_irqrestore(&xhci->lock, flags); + diff --git a/queue-5.3/xhci-prevent-device-initiated-u1-u2-link-pm-if-exit-latency-is-too-long.patch b/queue-5.3/xhci-prevent-device-initiated-u1-u2-link-pm-if-exit-latency-is-too-long.patch new file mode 100644 index 00000000000..93684d85acc --- /dev/null +++ b/queue-5.3/xhci-prevent-device-initiated-u1-u2-link-pm-if-exit-latency-is-too-long.patch @@ -0,0 +1,47 @@ +From cd9d9491e835a845c1a98b8471f88d26285e0bb9 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 4 Oct 2019 14:59:27 +0300 +Subject: xhci: Prevent device initiated U1/U2 link pm if exit latency is too long + +From: Mathias Nyman + +commit cd9d9491e835a845c1a98b8471f88d26285e0bb9 upstream. + +If host/hub initiated link pm is prevented by a driver flag we still must +ensure that periodic endpoints have longer service intervals than link pm +exit latency before allowing device initiated link pm. + +Fix this by continue walking and checking endpoint service interval if +xhci_get_timeout_no_hub_lpm() returns anything else than USB3_LPM_DISABLED + +While at it fix the split line error message + +Tested-by: Jan Schmidt +Cc: +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1570190373-30684-3-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4789,10 +4789,12 @@ static u16 xhci_calculate_lpm_timeout(st + if (intf->dev.driver) { + driver = to_usb_driver(intf->dev.driver); + if (driver && driver->disable_hub_initiated_lpm) { +- dev_dbg(&udev->dev, "Hub-initiated %s disabled " +- "at request of driver %s\n", +- state_name, driver->name); +- return xhci_get_timeout_no_hub_lpm(udev, state); ++ dev_dbg(&udev->dev, "Hub-initiated %s disabled at request of driver %s\n", ++ state_name, driver->name); ++ timeout = xhci_get_timeout_no_hub_lpm(udev, ++ state); ++ if (timeout == USB3_LPM_DISABLED) ++ return timeout; + } + } +