From a9f0f0dd893f6c3c96ad077ea7acbbc3d90d8cdf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 15 Dec 2019 10:37:54 +0100 Subject: [PATCH] 4.19-stable patches added patches: arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch iio-adis16480-add-debugfs_reg_access-entry.patch iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch staging-gigaset-add-endpoint-type-sanity-check.patch staging-gigaset-fix-general-protection-fault-on-probe.patch staging-gigaset-fix-illegal-free-on-probe-errors.patch staging-rtl8188eu-fix-interface-sanity-check.patch staging-rtl8712-fix-interface-sanity-check.patch usb-adutux-fix-interface-sanity-check.patch usb-atm-ueagle-atm-add-missing-endpoint-check.patch usb-idmouse-fix-interface-sanity-checks.patch usb-roles-fix-a-potential-use-after-free.patch usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch usb-xhci-only-set-d3hot-for-pci-device.patch xhci-fix-memory-leak-in-xhci_add_in_port.patch xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch xhci-increase-sts_halt-timeout-in-xhci_suspend.patch --- ...-define-wl1251-as-child-node-of-mmc3.patch | 81 ++++++++ ...is16480-add-debugfs_reg_access-entry.patch | 37 ++++ ...o_humidityrelative-channel-reporting.patch | 34 ++++ ...temperature-reporting-using-bad-unit.patch | 175 ++++++++++++++++++ queue-4.19/series | 18 ++ ...gaset-add-endpoint-type-sanity-check.patch | 51 +++++ ...ix-general-protection-fault-on-probe.patch | 40 ++++ ...set-fix-illegal-free-on-probe-errors.patch | 47 +++++ ...rtl8188eu-fix-interface-sanity-check.patch | 36 ++++ ...g-rtl8712-fix-interface-sanity-check.patch | 36 ++++ ...sb-adutux-fix-interface-sanity-check.patch | 36 ++++ ...eagle-atm-add-missing-endpoint-check.patch | 90 +++++++++ ...-idmouse-fix-interface-sanity-checks.patch | 36 ++++ ...roles-fix-a-potential-use-after-free.patch | 42 +++++ ...io_edgeport-fix-epic-endpoint-lookup.patch | 50 +++++ ...b-xhci-only-set-d3hot-for-pci-device.patch | 90 +++++++++ ...-fix-memory-leak-in-xhci_add_in_port.patch | 91 +++++++++ ...th-quirks-cases-as-default-behaviour.patch | 52 ++++++ ...ase-sts_halt-timeout-in-xhci_suspend.patch | 43 +++++ 19 files changed, 1085 insertions(+) create mode 100644 queue-4.19/arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch create mode 100644 queue-4.19/iio-adis16480-add-debugfs_reg_access-entry.patch create mode 100644 queue-4.19/iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch create mode 100644 queue-4.19/iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch create mode 100644 queue-4.19/staging-gigaset-add-endpoint-type-sanity-check.patch create mode 100644 queue-4.19/staging-gigaset-fix-general-protection-fault-on-probe.patch create mode 100644 queue-4.19/staging-gigaset-fix-illegal-free-on-probe-errors.patch create mode 100644 queue-4.19/staging-rtl8188eu-fix-interface-sanity-check.patch create mode 100644 queue-4.19/staging-rtl8712-fix-interface-sanity-check.patch create mode 100644 queue-4.19/usb-adutux-fix-interface-sanity-check.patch create mode 100644 queue-4.19/usb-atm-ueagle-atm-add-missing-endpoint-check.patch create mode 100644 queue-4.19/usb-idmouse-fix-interface-sanity-checks.patch create mode 100644 queue-4.19/usb-roles-fix-a-potential-use-after-free.patch create mode 100644 queue-4.19/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch create mode 100644 queue-4.19/usb-xhci-only-set-d3hot-for-pci-device.patch create mode 100644 queue-4.19/xhci-fix-memory-leak-in-xhci_add_in_port.patch create mode 100644 queue-4.19/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch create mode 100644 queue-4.19/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch diff --git a/queue-4.19/arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch b/queue-4.19/arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch new file mode 100644 index 00000000000..3908888a8d9 --- /dev/null +++ b/queue-4.19/arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch @@ -0,0 +1,81 @@ +From 4f9007d692017cef38baf2a9b82b7879d5b2407b Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Thu, 7 Nov 2019 11:30:36 +0100 +Subject: ARM: dts: pandora-common: define wl1251 as child node of mmc3 + +From: H. Nikolaus Schaller + +commit 4f9007d692017cef38baf2a9b82b7879d5b2407b upstream. + +Since v4.7 the dma initialization requires that there is a +device tree property for "rx" and "tx" channels which is +not provided by the pdata-quirks initialization. + +By conversion of the mmc3 setup to device tree this will +finally allows to remove the OpenPandora wlan specific omap3 +data-quirks. + +Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: H. Nikolaus Schaller +Cc: # v4.7+ +Acked-by: Tony Lindgren +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-pandora-common.dtsi | 36 ++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/omap3-pandora-common.dtsi ++++ b/arch/arm/boot/dts/omap3-pandora-common.dtsi +@@ -229,6 +229,17 @@ + gpio = <&gpio6 4 GPIO_ACTIVE_HIGH>; /* GPIO_164 */ + }; + ++ /* wl1251 wifi+bt module */ ++ wlan_en: fixed-regulator-wg7210_en { ++ compatible = "regulator-fixed"; ++ regulator-name = "vwlan"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ startup-delay-us = <50000>; ++ enable-active-high; ++ gpio = <&gpio1 23 GPIO_ACTIVE_HIGH>; ++ }; ++ + /* wg7210 (wifi+bt module) 32k clock buffer */ + wg7210_32k: fixed-regulator-wg7210_32k { + compatible = "regulator-fixed"; +@@ -525,9 +536,30 @@ + /*wp-gpios = <&gpio4 31 GPIO_ACTIVE_HIGH>;*/ /* GPIO_127 */ + }; + +-/* mmc3 is probed using pdata-quirks to pass wl1251 card data */ + &mmc3 { +- status = "disabled"; ++ vmmc-supply = <&wlan_en>; ++ ++ bus-width = <4>; ++ non-removable; ++ ti,non-removable; ++ cap-power-off-card; ++ ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc3_pins>; ++ ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ wlan: wifi@1 { ++ compatible = "ti,wl1251"; ++ ++ reg = <1>; ++ ++ interrupt-parent = <&gpio1>; ++ interrupts = <21 IRQ_TYPE_LEVEL_HIGH>; /* GPIO_21 */ ++ ++ ti,wl1251-has-eeprom; ++ }; + }; + + /* bluetooth*/ diff --git a/queue-4.19/iio-adis16480-add-debugfs_reg_access-entry.patch b/queue-4.19/iio-adis16480-add-debugfs_reg_access-entry.patch new file mode 100644 index 00000000000..26f6c0f832a --- /dev/null +++ b/queue-4.19/iio-adis16480-add-debugfs_reg_access-entry.patch @@ -0,0 +1,37 @@ +From 4c35b7a51e2f291471f7221d112c6a45c63e83bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Mon, 28 Oct 2019 17:33:49 +0100 +Subject: iio: adis16480: Add debugfs_reg_access entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 4c35b7a51e2f291471f7221d112c6a45c63e83bc upstream. + +The driver is defining debugfs entries by calling +`adis16480_debugfs_init()`. However, those entries are attached to the +iio_dev debugfs entry which won't exist if no debugfs_reg_access +callback is provided. + +Fixes: 2f3abe6cbb6c ("iio:imu: Add support for the ADIS16480 and similar IMUs") +Signed-off-by: Nuno Sá +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis16480.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -727,6 +727,7 @@ static const struct iio_info adis16480_i + .read_raw = &adis16480_read_raw, + .write_raw = &adis16480_write_raw, + .update_scan_mode = adis_update_scan_mode, ++ .debugfs_reg_access = adis_debugfs_reg_access, + }; + + static int adis16480_stop_device(struct iio_dev *indio_dev) diff --git a/queue-4.19/iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch b/queue-4.19/iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch new file mode 100644 index 00000000000..3c583764032 --- /dev/null +++ b/queue-4.19/iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch @@ -0,0 +1,34 @@ +From 342a6928bd5017edbdae376042d8ad6af3d3b943 Mon Sep 17 00:00:00 2001 +From: Chris Lesiak +Date: Thu, 21 Nov 2019 20:39:42 +0000 +Subject: iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting + +From: Chris Lesiak + +commit 342a6928bd5017edbdae376042d8ad6af3d3b943 upstream. + +The IIO_HUMIDITYRELATIVE channel was being incorrectly reported back +as percent when it should have been milli percent. This is via an +incorrect scale value being returned to userspace. + +Signed-off-by: Chris Lesiak +Acked-by: Matt Ranostay +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/humidity/hdc100x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/humidity/hdc100x.c ++++ b/drivers/iio/humidity/hdc100x.c +@@ -229,7 +229,7 @@ static int hdc100x_read_raw(struct iio_d + *val2 = 65536; + return IIO_VAL_FRACTIONAL; + } else { +- *val = 100; ++ *val = 100000; + *val2 = 65536; + return IIO_VAL_FRACTIONAL; + } diff --git a/queue-4.19/iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch b/queue-4.19/iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch new file mode 100644 index 00000000000..9dc623b8c60 --- /dev/null +++ b/queue-4.19/iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch @@ -0,0 +1,175 @@ +From 53eaa9c27fdc01b4f4d885223e29f97393409e7e Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Tue, 26 Nov 2019 17:19:12 +0100 +Subject: iio: imu: inv_mpu6050: fix temperature reporting using bad unit + +From: Jean-Baptiste Maneyrol + +commit 53eaa9c27fdc01b4f4d885223e29f97393409e7e upstream. + +Temperature should be reported in milli-degrees, not degrees. Fix +scale and offset values to use the correct unit. + +This is a fix for an issue that has been present for a long time. +The fixes tag reflects the point at which the code last changed in a +fashion that would make this fix patch no longer apply. Backports +will be necessary to fix those elements that predate that patch. + +Fixes: 1615fe41a195 ("iio: imu: mpu6050: Fix FIFO layout for ICM20602") +Cc: stable@vger.kernel.org +Signed-off-by: Jean-Baptiste Maneyrol +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 23 ++++++++++++----------- + drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 16 ++++++++++++---- + 2 files changed, 24 insertions(+), 15 deletions(-) + +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +@@ -122,6 +122,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6050, + .config = &chip_config_6050, + .fifo_size = 1024, ++ .temp = {INV_MPU6050_TEMP_OFFSET, INV_MPU6050_TEMP_SCALE}, + }, + { + .whoami = INV_MPU6500_WHOAMI_VALUE, +@@ -129,6 +130,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6500, + .config = &chip_config_6050, + .fifo_size = 512, ++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE}, + }, + { + .whoami = INV_MPU6515_WHOAMI_VALUE, +@@ -136,6 +138,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6500, + .config = &chip_config_6050, + .fifo_size = 512, ++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE}, + }, + { + .whoami = INV_MPU6000_WHOAMI_VALUE, +@@ -143,6 +146,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6050, + .config = &chip_config_6050, + .fifo_size = 1024, ++ .temp = {INV_MPU6050_TEMP_OFFSET, INV_MPU6050_TEMP_SCALE}, + }, + { + .whoami = INV_MPU9150_WHOAMI_VALUE, +@@ -150,6 +154,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6050, + .config = &chip_config_6050, + .fifo_size = 1024, ++ .temp = {INV_MPU6050_TEMP_OFFSET, INV_MPU6050_TEMP_SCALE}, + }, + { + .whoami = INV_MPU9250_WHOAMI_VALUE, +@@ -157,6 +162,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6500, + .config = &chip_config_6050, + .fifo_size = 512, ++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE}, + }, + { + .whoami = INV_MPU9255_WHOAMI_VALUE, +@@ -164,6 +170,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6500, + .config = &chip_config_6050, + .fifo_size = 512, ++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE}, + }, + { + .whoami = INV_ICM20608_WHOAMI_VALUE, +@@ -171,6 +178,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_6500, + .config = &chip_config_6050, + .fifo_size = 512, ++ .temp = {INV_ICM20608_TEMP_OFFSET, INV_ICM20608_TEMP_SCALE}, + }, + { + .whoami = INV_ICM20602_WHOAMI_VALUE, +@@ -178,6 +186,7 @@ static const struct inv_mpu6050_hw hw_in + .reg = ®_set_icm20602, + .config = &chip_config_6050, + .fifo_size = 1008, ++ .temp = {INV_ICM20608_TEMP_OFFSET, INV_ICM20608_TEMP_SCALE}, + }, + }; + +@@ -478,12 +487,8 @@ inv_mpu6050_read_raw(struct iio_dev *ind + + return IIO_VAL_INT_PLUS_MICRO; + case IIO_TEMP: +- *val = 0; +- if (st->chip_type == INV_ICM20602) +- *val2 = INV_ICM20602_TEMP_SCALE; +- else +- *val2 = INV_MPU6050_TEMP_SCALE; +- ++ *val = st->hw->temp.scale / 1000000; ++ *val2 = st->hw->temp.scale % 1000000; + return IIO_VAL_INT_PLUS_MICRO; + default: + return -EINVAL; +@@ -491,11 +496,7 @@ inv_mpu6050_read_raw(struct iio_dev *ind + case IIO_CHAN_INFO_OFFSET: + switch (chan->type) { + case IIO_TEMP: +- if (st->chip_type == INV_ICM20602) +- *val = INV_ICM20602_TEMP_OFFSET; +- else +- *val = INV_MPU6050_TEMP_OFFSET; +- ++ *val = st->hw->temp.offset; + return IIO_VAL_INT; + default: + return -EINVAL; +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +@@ -109,6 +109,7 @@ struct inv_mpu6050_chip_config { + * @reg: register map of the chip. + * @config: configuration of the chip. + * @fifo_size: size of the FIFO in bytes. ++ * @temp: offset and scale to apply to raw temperature. + */ + struct inv_mpu6050_hw { + u8 whoami; +@@ -116,6 +117,10 @@ struct inv_mpu6050_hw { + const struct inv_mpu6050_reg_map *reg; + const struct inv_mpu6050_chip_config *config; + size_t fifo_size; ++ struct { ++ int offset; ++ int scale; ++ } temp; + }; + + /* +@@ -224,16 +229,19 @@ struct inv_mpu6050_state { + #define INV_MPU6050_REG_UP_TIME_MIN 5000 + #define INV_MPU6050_REG_UP_TIME_MAX 10000 + +-#define INV_MPU6050_TEMP_OFFSET 12421 +-#define INV_MPU6050_TEMP_SCALE 2941 ++#define INV_MPU6050_TEMP_OFFSET 12420 ++#define INV_MPU6050_TEMP_SCALE 2941176 + #define INV_MPU6050_MAX_GYRO_FS_PARAM 3 + #define INV_MPU6050_MAX_ACCL_FS_PARAM 3 + #define INV_MPU6050_THREE_AXIS 3 + #define INV_MPU6050_GYRO_CONFIG_FSR_SHIFT 3 + #define INV_MPU6050_ACCL_CONFIG_FSR_SHIFT 3 + +-#define INV_ICM20602_TEMP_OFFSET 8170 +-#define INV_ICM20602_TEMP_SCALE 3060 ++#define INV_MPU6500_TEMP_OFFSET 7011 ++#define INV_MPU6500_TEMP_SCALE 2995178 ++ ++#define INV_ICM20608_TEMP_OFFSET 8170 ++#define INV_ICM20608_TEMP_SCALE 3059976 + + /* 6 + 6 round up and plus 8 */ + #define INV_MPU6050_OUTPUT_DATA_SIZE 24 diff --git a/queue-4.19/series b/queue-4.19/series index 60edc1c8929..68dad56ff56 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -6,3 +6,21 @@ usb-uas-honor-flag-to-avoid-capacity16.patch usb-uas-heed-capacity_heuristics.patch usb-documentation-flags-on-usb-storage-versus-uas.patch usb-allow-usb-device-to-be-warm-reset-in-suspended-state.patch +staging-rtl8188eu-fix-interface-sanity-check.patch +staging-rtl8712-fix-interface-sanity-check.patch +staging-gigaset-fix-general-protection-fault-on-probe.patch +staging-gigaset-fix-illegal-free-on-probe-errors.patch +staging-gigaset-add-endpoint-type-sanity-check.patch +usb-xhci-only-set-d3hot-for-pci-device.patch +xhci-fix-memory-leak-in-xhci_add_in_port.patch +xhci-increase-sts_halt-timeout-in-xhci_suspend.patch +xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch +arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch +iio-adis16480-add-debugfs_reg_access-entry.patch +iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch +iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch +usb-atm-ueagle-atm-add-missing-endpoint-check.patch +usb-idmouse-fix-interface-sanity-checks.patch +usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch +usb-roles-fix-a-potential-use-after-free.patch +usb-adutux-fix-interface-sanity-check.patch diff --git a/queue-4.19/staging-gigaset-add-endpoint-type-sanity-check.patch b/queue-4.19/staging-gigaset-add-endpoint-type-sanity-check.patch new file mode 100644 index 00000000000..7f94c0bd481 --- /dev/null +++ b/queue-4.19/staging-gigaset-add-endpoint-type-sanity-check.patch @@ -0,0 +1,51 @@ +From ed9ed5a89acba51b82bdff61144d4e4a4245ec8a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 2 Dec 2019 09:56:10 +0100 +Subject: staging: gigaset: add endpoint-type sanity check + +From: Johan Hovold + +commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream. + +Add missing endpoint-type sanity checks to probe. + +This specifically prevents a warning in USB core on URB submission when +fuzzing USB descriptors. + +Signed-off-by: Johan Hovold +Cc: stable +Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -708,6 +708,12 @@ static int gigaset_probe(struct usb_inte + + endpoint = &hostif->endpoint[0].desc; + ++ if (!usb_endpoint_is_bulk_out(endpoint)) { ++ dev_err(&interface->dev, "missing bulk-out endpoint\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + buffer_size = le16_to_cpu(endpoint->wMaxPacketSize); + ucs->bulk_out_size = buffer_size; + ucs->bulk_out_epnum = usb_endpoint_num(endpoint); +@@ -727,6 +733,12 @@ static int gigaset_probe(struct usb_inte + + endpoint = &hostif->endpoint[1].desc; + ++ if (!usb_endpoint_is_int_in(endpoint)) { ++ dev_err(&interface->dev, "missing int-in endpoint\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + ucs->busy = 0; + + ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL); diff --git a/queue-4.19/staging-gigaset-fix-general-protection-fault-on-probe.patch b/queue-4.19/staging-gigaset-fix-general-protection-fault-on-probe.patch new file mode 100644 index 00000000000..8af6f38c70b --- /dev/null +++ b/queue-4.19/staging-gigaset-fix-general-protection-fault-on-probe.patch @@ -0,0 +1,40 @@ +From 53f35a39c3860baac1e5ca80bf052751cfb24a99 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 2 Dec 2019 09:56:08 +0100 +Subject: staging: gigaset: fix general protection fault on probe + +From: Johan Hovold + +commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream. + +Fix a general protection fault when accessing the endpoint descriptors +which could be triggered by a malicious device due to missing sanity +checks on the number of endpoints. + +Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com +Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter") +Cc: stable # 2.6.17 +Cc: Hansjoerg Lipp +Cc: Tilman Schmidt +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/usb-gigaset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -688,6 +688,11 @@ static int gigaset_probe(struct usb_inte + return -ENODEV; + } + ++ if (hostif->desc.bNumEndpoints < 2) { ++ dev_err(&interface->dev, "missing endpoints\n"); ++ return -ENODEV; ++ } ++ + dev_info(&udev->dev, "%s: Device matched ... !\n", __func__); + + /* allocate memory for our device state and initialize it */ diff --git a/queue-4.19/staging-gigaset-fix-illegal-free-on-probe-errors.patch b/queue-4.19/staging-gigaset-fix-illegal-free-on-probe-errors.patch new file mode 100644 index 00000000000..030fd44c9ff --- /dev/null +++ b/queue-4.19/staging-gigaset-fix-illegal-free-on-probe-errors.patch @@ -0,0 +1,47 @@ +From 84f60ca7b326ed8c08582417493982fe2573a9ad Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 2 Dec 2019 09:56:09 +0100 +Subject: staging: gigaset: fix illegal free on probe errors + +From: Johan Hovold + +commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream. + +The driver failed to initialise its receive-buffer pointer, something +which could lead to an illegal free on late probe errors. + +Fix this by making sure to clear all driver data at allocation. + +Fixes: 2032e2c2309d ("usb_gigaset: code cleanup") +Cc: stable # 2.6.33 +Cc: Tilman Schmidt +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/usb-gigaset.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -574,8 +574,7 @@ static int gigaset_initcshw(struct cards + { + struct usb_cardstate *ucs; + +- cs->hw.usb = ucs = +- kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL); ++ cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL); + if (!ucs) { + pr_err("out of memory\n"); + return -ENOMEM; +@@ -587,9 +586,6 @@ static int gigaset_initcshw(struct cards + ucs->bchars[3] = 0; + ucs->bchars[4] = 0x11; + ucs->bchars[5] = 0x13; +- ucs->bulk_out_buffer = NULL; +- ucs->bulk_out_urb = NULL; +- ucs->read_urb = NULL; + tasklet_init(&cs->write_tasklet, + gigaset_modem_fill, (unsigned long) cs); + diff --git a/queue-4.19/staging-rtl8188eu-fix-interface-sanity-check.patch b/queue-4.19/staging-rtl8188eu-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..82226a91585 --- /dev/null +++ b/queue-4.19/staging-rtl8188eu-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From 74ca34118a0e05793935d804ccffcedd6eb56596 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:47:50 +0100 +Subject: staging: rtl8188eu: fix interface sanity check + +From: Johan Hovold + +commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20") +Cc: stable # 3.12 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -70,7 +70,7 @@ static struct dvobj_priv *usb_dvobj_init + phost_conf = pusbd->actconfig; + pconf_desc = &phost_conf->desc; + +- phost_iface = &usb_intf->altsetting[0]; ++ phost_iface = usb_intf->cur_altsetting; + piface_desc = &phost_iface->desc; + + pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces; diff --git a/queue-4.19/staging-rtl8712-fix-interface-sanity-check.patch b/queue-4.19/staging-rtl8712-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..220d843ba48 --- /dev/null +++ b/queue-4.19/staging-rtl8712-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From c724f776f048538ecfdf53a52b7a522309f5c504 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:47:51 +0100 +Subject: staging: rtl8712: fix interface sanity check + +From: Johan Hovold + +commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Cc: stable # 2.6.37 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -275,7 +275,7 @@ static uint r8712_usb_dvobj_init(struct + + pdvobjpriv->padapter = padapter; + padapter->EepromAddressSize = 6; +- phost_iface = &pintf->altsetting[0]; ++ phost_iface = pintf->cur_altsetting; + piface_desc = &phost_iface->desc; + pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints; + if (pusbd->speed == USB_SPEED_HIGH) { diff --git a/queue-4.19/usb-adutux-fix-interface-sanity-check.patch b/queue-4.19/usb-adutux-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..9884d4691fb --- /dev/null +++ b/queue-4.19/usb-adutux-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From 3c11c4bed02b202e278c0f5c319ae435d7fb9815 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:25:59 +0100 +Subject: USB: adutux: fix interface sanity check + +From: Johan Hovold + +commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices") +Cc: stable # 2.6.19 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/adutux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -671,7 +671,7 @@ static int adu_probe(struct usb_interfac + init_waitqueue_head(&dev->read_wait); + init_waitqueue_head(&dev->write_wait); + +- res = usb_find_common_endpoints_reverse(&interface->altsetting[0], ++ res = usb_find_common_endpoints_reverse(interface->cur_altsetting, + NULL, NULL, + &dev->interrupt_in_endpoint, + &dev->interrupt_out_endpoint); diff --git a/queue-4.19/usb-atm-ueagle-atm-add-missing-endpoint-check.patch b/queue-4.19/usb-atm-ueagle-atm-add-missing-endpoint-check.patch new file mode 100644 index 00000000000..87bfebc6b4c --- /dev/null +++ b/queue-4.19/usb-atm-ueagle-atm-add-missing-endpoint-check.patch @@ -0,0 +1,90 @@ +From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:25:58 +0100 +Subject: USB: atm: ueagle-atm: add missing endpoint check + +From: Johan Hovold + +commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream. + +Make sure that the interrupt interface has an endpoint before trying to +access its endpoint descriptors to avoid dereferencing a NULL pointer. + +The driver binds to the interrupt interface with interface number 0, but +must not assume that this interface or its current alternate setting are +the first entries in the corresponding configuration arrays. + +Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") +Cc: stable # 2.6.16 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/usb/atm/ueagle-atm.c ++++ b/drivers/usb/atm/ueagle-atm.c +@@ -2168,10 +2168,11 @@ resubmit: + /* + * Start the modem : init the data and start kernel thread + */ +-static int uea_boot(struct uea_softc *sc) ++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) + { +- int ret, size; + struct intr_pkt *intr; ++ int ret = -ENOMEM; ++ int size; + + uea_enters(INS_TO_USBDEV(sc)); + +@@ -2196,6 +2197,11 @@ static int uea_boot(struct uea_softc *sc + if (UEA_CHIP_VERSION(sc) == ADI930) + load_XILINX_firmware(sc); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { ++ ret = -ENODEV; ++ goto err0; ++ } ++ + intr = kmalloc(size, GFP_KERNEL); + if (!intr) + goto err0; +@@ -2207,8 +2213,7 @@ static int uea_boot(struct uea_softc *sc + usb_fill_int_urb(sc->urb_int, sc->usb_dev, + usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), + intr, size, uea_intr, sc, +- sc->usb_dev->actconfig->interface[0]->altsetting[0]. +- endpoint[0].desc.bInterval); ++ intf->cur_altsetting->endpoint[0].desc.bInterval); + + ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); + if (ret < 0) { +@@ -2223,6 +2228,7 @@ static int uea_boot(struct uea_softc *sc + sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); + if (IS_ERR(sc->kthread)) { + uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); ++ ret = PTR_ERR(sc->kthread); + goto err2; + } + +@@ -2237,7 +2243,7 @@ err1: + kfree(intr); + err0: + uea_leaves(INS_TO_USBDEV(sc)); +- return -ENOMEM; ++ return ret; + } + + /* +@@ -2598,7 +2604,7 @@ static int uea_bind(struct usbatm_data * + if (ret < 0) + goto error; + +- ret = uea_boot(sc); ++ ret = uea_boot(sc, intf); + if (ret < 0) + goto error_rm_grp; + diff --git a/queue-4.19/usb-idmouse-fix-interface-sanity-checks.patch b/queue-4.19/usb-idmouse-fix-interface-sanity-checks.patch new file mode 100644 index 00000000000..fdc8a1df6b2 --- /dev/null +++ b/queue-4.19/usb-idmouse-fix-interface-sanity-checks.patch @@ -0,0 +1,36 @@ +From 59920635b89d74b9207ea803d5e91498d39e8b69 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:26:00 +0100 +Subject: USB: idmouse: fix interface sanity checks + +From: Johan Hovold + +commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/idmouse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -337,7 +337,7 @@ static int idmouse_probe(struct usb_inte + int result; + + /* check if we have gotten the data or the hid interface */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; + diff --git a/queue-4.19/usb-roles-fix-a-potential-use-after-free.patch b/queue-4.19/usb-roles-fix-a-potential-use-after-free.patch new file mode 100644 index 00000000000..7bb63d1dcc8 --- /dev/null +++ b/queue-4.19/usb-roles-fix-a-potential-use-after-free.patch @@ -0,0 +1,42 @@ +From 1848a543191ae32e558bb0a5974ae7c38ebd86fc Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Sun, 24 Nov 2019 22:22:36 +0800 +Subject: usb: roles: fix a potential use after free + +From: Wen Yang + +commit 1848a543191ae32e558bb0a5974ae7c38ebd86fc upstream. + +Free the sw structure only after we are done using it. +This patch just moves the put_device() down a bit to avoid the +use after free. + +Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting") +Signed-off-by: Wen Yang +Reviewed-by: Heikki Krogerus +Reviewed-by: Peter Chen +Cc: stable +Cc: Hans de Goede +Cc: Chunfeng Yun +Cc: Suzuki K Poulose +Cc: linux-usb@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20191124142236.25671-1-wenyang@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/roles/class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -130,8 +130,8 @@ EXPORT_SYMBOL_GPL(usb_role_switch_get); + void usb_role_switch_put(struct usb_role_switch *sw) + { + if (!IS_ERR_OR_NULL(sw)) { +- put_device(&sw->dev); + module_put(sw->dev.parent->driver->owner); ++ put_device(&sw->dev); + } + } + EXPORT_SYMBOL_GPL(usb_role_switch_put); diff --git a/queue-4.19/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/queue-4.19/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch new file mode 100644 index 00000000000..5b641db70fc --- /dev/null +++ b/queue-4.19/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch @@ -0,0 +1,50 @@ +From 7c5a2df3367a2c4984f1300261345817d95b71f8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:26:01 +0100 +Subject: USB: serial: io_edgeport: fix epic endpoint lookup + +From: Johan Hovold + +commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream. + +Make sure to use the current alternate setting when looking up the +endpoints on epic devices to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Cc: stable # 2.6.21 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2919,16 +2919,18 @@ static int edge_startup(struct usb_seria + response = 0; + + if (edge_serial->is_epic) { ++ struct usb_host_interface *alt; ++ ++ alt = serial->interface->cur_altsetting; ++ + /* EPIC thing, set up our interrupt polling now and our read + * urb, so that the device knows it really is connected. */ + interrupt_in_found = bulk_in_found = bulk_out_found = false; +- for (i = 0; i < serial->interface->altsetting[0] +- .desc.bNumEndpoints; ++i) { ++ for (i = 0; i < alt->desc.bNumEndpoints; ++i) { + struct usb_endpoint_descriptor *endpoint; + int buffer_size; + +- endpoint = &serial->interface->altsetting[0]. +- endpoint[i].desc; ++ endpoint = &alt->endpoint[i].desc; + buffer_size = usb_endpoint_maxp(endpoint); + if (!interrupt_in_found && + (usb_endpoint_is_int_in(endpoint))) { diff --git a/queue-4.19/usb-xhci-only-set-d3hot-for-pci-device.patch b/queue-4.19/usb-xhci-only-set-d3hot-for-pci-device.patch new file mode 100644 index 00000000000..5c77c04639e --- /dev/null +++ b/queue-4.19/usb-xhci-only-set-d3hot-for-pci-device.patch @@ -0,0 +1,90 @@ +From f2c710f7dca8457e88b4ac9de2060f011254f9dd Mon Sep 17 00:00:00 2001 +From: Henry Lin +Date: Wed, 11 Dec 2019 16:20:04 +0200 +Subject: usb: xhci: only set D3hot for pci device + +From: Henry Lin + +commit f2c710f7dca8457e88b4ac9de2060f011254f9dd upstream. + +Xhci driver cannot call pci_set_power_state() on non-pci xhci host +controllers. For example, NVIDIA Tegra XHCI host controller which acts +as platform device with XHCI_SPURIOUS_WAKEUP quirk set in some platform +hits this issue during shutdown. + +Cc: +Fixes: 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell") +Signed-off-by: Henry Lin +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 13 +++++++++++++ + drivers/usb/host/xhci.c | 7 ++----- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -495,6 +495,18 @@ static int xhci_pci_resume(struct usb_hc + } + #endif /* CONFIG_PM */ + ++static void xhci_pci_shutdown(struct usb_hcd *hcd) ++{ ++ struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ struct pci_dev *pdev = to_pci_dev(hcd->self.controller); ++ ++ xhci_shutdown(hcd); ++ ++ /* Yet another workaround for spurious wakeups at shutdown with HSW */ ++ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) ++ pci_set_power_state(pdev, PCI_D3hot); ++} ++ + /*-------------------------------------------------------------------------*/ + + /* PCI driver selection metadata; PCI hotplugging uses this */ +@@ -530,6 +542,7 @@ static int __init xhci_pci_init(void) + #ifdef CONFIG_PM + xhci_pci_hc_driver.pci_suspend = xhci_pci_suspend; + xhci_pci_hc_driver.pci_resume = xhci_pci_resume; ++ xhci_pci_hc_driver.shutdown = xhci_pci_shutdown; + #endif + return pci_register_driver(&xhci_pci_driver); + } +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -769,7 +769,7 @@ static void xhci_stop(struct usb_hcd *hc + * + * This will only ever be called with the main usb_hcd (the USB3 roothub). + */ +-static void xhci_shutdown(struct usb_hcd *hcd) ++void xhci_shutdown(struct usb_hcd *hcd) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + +@@ -788,11 +788,8 @@ static void xhci_shutdown(struct usb_hcd + xhci_dbg_trace(xhci, trace_xhci_dbg_init, + "xhci_shutdown completed - status = %x", + readl(&xhci->op_regs->status)); +- +- /* Yet another workaround for spurious wakeups at shutdown with HSW */ +- if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) +- pci_set_power_state(to_pci_dev(hcd->self.sysdev), PCI_D3hot); + } ++EXPORT_SYMBOL_GPL(xhci_shutdown); + + #ifdef CONFIG_PM + static void xhci_save_registers(struct xhci_hcd *xhci) +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -2052,6 +2052,7 @@ int xhci_start(struct xhci_hcd *xhci); + int xhci_reset(struct xhci_hcd *xhci); + int xhci_run(struct usb_hcd *hcd); + int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks); ++void xhci_shutdown(struct usb_hcd *hcd); + void xhci_init_driver(struct hc_driver *drv, + const struct xhci_driver_overrides *over); + int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id); diff --git a/queue-4.19/xhci-fix-memory-leak-in-xhci_add_in_port.patch b/queue-4.19/xhci-fix-memory-leak-in-xhci_add_in_port.patch new file mode 100644 index 00000000000..c8b24e56a1e --- /dev/null +++ b/queue-4.19/xhci-fix-memory-leak-in-xhci_add_in_port.patch @@ -0,0 +1,91 @@ +From ce91f1a43b37463f517155bdfbd525eb43adbd1a Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 11 Dec 2019 16:20:02 +0200 +Subject: xhci: Fix memory leak in xhci_add_in_port() + +From: Mika Westerberg + +commit ce91f1a43b37463f517155bdfbd525eb43adbd1a upstream. + +When xHCI is part of Alpine or Titan Ridge Thunderbolt controller and +the xHCI device is hot-removed as a result of unplugging a dock for +example, the driver leaks memory it allocates for xhci->usb3_rhub.psi +and xhci->usb2_rhub.psi in xhci_add_in_port() as reported by kmemleak: + +unreferenced object 0xffff922c24ef42f0 (size 16): + comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) + hex dump (first 16 bytes): + 21 00 0c 00 12 00 dc 05 23 00 e0 01 00 00 00 00 !.......#....... + backtrace: + [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 + [<0000000001b6d775>] xhci_init+0x7c/0x160 + [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 + [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 + [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 + [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 + [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 + [<00000000b9231f25>] local_pci_probe+0x3d/0x70 + [<000000006385c9d7>] pci_device_probe+0xd0/0x150 + [<0000000070241068>] really_probe+0xf5/0x3c0 + [<0000000061f35c0a>] driver_probe_device+0x58/0x100 + [<000000009da11198>] bus_for_each_drv+0x79/0xc0 + [<000000009ce45f69>] __device_attach+0xda/0x160 + [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 + [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 + [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 +unreferenced object 0xffff922c24ef3318 (size 8): + comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) + hex dump (first 8 bytes): + 34 01 05 00 35 41 0a 00 4...5A.. + backtrace: + [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 + [<0000000001b6d775>] xhci_init+0x7c/0x160 + [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 + [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 + [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 + [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 + [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 + [<00000000b9231f25>] local_pci_probe+0x3d/0x70 + [<000000006385c9d7>] pci_device_probe+0xd0/0x150 + [<0000000070241068>] really_probe+0xf5/0x3c0 + [<0000000061f35c0a>] driver_probe_device+0x58/0x100 + [<000000009da11198>] bus_for_each_drv+0x79/0xc0 + [<000000009ce45f69>] __device_attach+0xda/0x160 + [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 + [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 + [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 + +Fix this by calling kfree() for the both psi objects in +xhci_mem_cleanup(). + +Cc: # 4.4+ +Fixes: 47189098f8be ("xhci: parse xhci protocol speed ID list for usb 3.1 usage") +Signed-off-by: Mika Westerberg +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1909,13 +1909,17 @@ no_bw: + xhci->usb3_rhub.num_ports = 0; + xhci->num_active_eps = 0; + kfree(xhci->usb2_rhub.ports); ++ kfree(xhci->usb2_rhub.psi); + kfree(xhci->usb3_rhub.ports); ++ kfree(xhci->usb3_rhub.psi); + kfree(xhci->hw_ports); + kfree(xhci->rh_bw); + kfree(xhci->ext_caps); + + xhci->usb2_rhub.ports = NULL; ++ xhci->usb2_rhub.psi = NULL; + xhci->usb3_rhub.ports = NULL; ++ xhci->usb3_rhub.psi = NULL; + xhci->hw_ports = NULL; + xhci->rh_bw = NULL; + xhci->ext_caps = NULL; diff --git a/queue-4.19/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch b/queue-4.19/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch new file mode 100644 index 00000000000..82ecea3ab74 --- /dev/null +++ b/queue-4.19/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch @@ -0,0 +1,52 @@ +From 7ff11162808cc2ec66353fc012c58bb449c892c3 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 11 Dec 2019 16:20:06 +0200 +Subject: xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour. + +From: Mathias Nyman + +commit 7ff11162808cc2ec66353fc012c58bb449c892c3 upstream. + +xhci driver claims it needs XHCI_TRUST_TX_LENGTH quirk for both +Broadcom/Cavium and a Renesas xHC controllers. + +The quirk was inteded for handling false "success" complete event for +transfers that had data left untransferred. +These transfers should complete with "short packet" events instead. + +In these two new cases the false "success" completion is reported +after a "short packet" if the TD consists of several TRBs. +xHCI specs 4.10.1.1.2 say remaining TRBs should report "short packet" +as well after the first short packet in a TD, but this issue seems so +common it doesn't make sense to add the quirk for all vendors. + +Turn these events into short packets automatically instead. + +This gets rid of the "The WARN Successful completion on short TX for +slot 1 ep 1: needs XHCI_TRUST_TX_LENGTH quirk" warning in many cases. + +Cc: +Reported-by: Eli Billauer +Reported-by: Ard Biesheuvel +Tested-by: Eli Billauer +Tested-by: Ard Biesheuvel +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2330,7 +2330,8 @@ static int handle_tx_event(struct xhci_h + case COMP_SUCCESS: + if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) + break; +- if (xhci->quirks & XHCI_TRUST_TX_LENGTH) ++ if (xhci->quirks & XHCI_TRUST_TX_LENGTH || ++ ep_ring->last_td_was_short) + trb_comp_code = COMP_SHORT_PACKET; + else + xhci_warn_ratelimited(xhci, diff --git a/queue-4.19/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch b/queue-4.19/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch new file mode 100644 index 00000000000..5acc7d33999 --- /dev/null +++ b/queue-4.19/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch @@ -0,0 +1,43 @@ +From 7c67cf6658cec70d8a43229f2ce74ca1443dc95e Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 11 Dec 2019 16:20:05 +0200 +Subject: xhci: Increase STS_HALT timeout in xhci_suspend() + +From: Kai-Heng Feng + +commit 7c67cf6658cec70d8a43229f2ce74ca1443dc95e upstream. + +I've recently observed failed xHCI suspend attempt on AMD Raven Ridge +system: +kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout +kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110 +kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110 +kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110 +kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110 + +Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in +xhci_suspend()") we also need to increase the HALT timeout to make it be +able to suspend again. + +Cc: # 5.2+ +Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -960,7 +960,7 @@ static bool xhci_pending_portevent(struc + int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup) + { + int rc = 0; +- unsigned int delay = XHCI_MAX_HALT_USEC; ++ unsigned int delay = XHCI_MAX_HALT_USEC * 2; + struct usb_hcd *hcd = xhci_to_hcd(xhci); + u32 command; + u32 res; -- 2.47.3