From f6dcdf3c0a2be5f15e211bcd3fc0580b670ba0bb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Jan 2020 22:57:17 +0100 Subject: [PATCH] 4.9-stable patches added patches: can-can_dropped_invalid_skb-ensure-an-initialized-headroom-in-outgoing-can-sk_buffs.patch can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch staging-comedi-adv_pci1710-fix-ai-channels-16-31-for-pci-1713.patch staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch tty-always-relink-the-port.patch tty-link-tty-and-port-before-configuring-it-as-console.patch usb-musb-disable-pullup-at-init.patch usb-musb-dma-correct-parameter-passed-to-irq-handler.patch usb-musb-fix-idling-for-suspend-after-disconnect-interrupt.patch usb-serial-option-add-zlp-support-for-0x1bc7-0x9010.patch --- ...ed-headroom-in-outgoing-can-sk_buffs.patch | 88 +++++++++++++++++++ ...se-descriptors-of-current-altsetting.patch | 42 +++++++++ ...n-returning-from-polling-to-irq-mode.patch | 75 ++++++++++++++++ queue-4.9/series | 12 +++ ...0-fix-ai-channels-16-31-for-pci-1713.patch | 41 +++++++++ ...ice-code-for-tp-link-tl-wn727n-v5.21.patch | 32 +++++++ ...-set-usb_set_intfdata-on-driver-fail.patch | 55 ++++++++++++ queue-4.9/tty-always-relink-the-port.patch | 37 ++++++++ ...ort-before-configuring-it-as-console.patch | 69 +++++++++++++++ .../usb-musb-disable-pullup-at-init.patch | 37 ++++++++ ...rect-parameter-passed-to-irq-handler.patch | 35 ++++++++ ...r-suspend-after-disconnect-interrupt.patch | 62 +++++++++++++ ...on-add-zlp-support-for-0x1bc7-0x9010.patch | 85 ++++++++++++++++++ 13 files changed, 670 insertions(+) create mode 100644 queue-4.9/can-can_dropped_invalid_skb-ensure-an-initialized-headroom-in-outgoing-can-sk_buffs.patch create mode 100644 queue-4.9/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch create mode 100644 queue-4.9/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch create mode 100644 queue-4.9/staging-comedi-adv_pci1710-fix-ai-channels-16-31-for-pci-1713.patch create mode 100644 queue-4.9/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch create mode 100644 queue-4.9/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch create mode 100644 queue-4.9/tty-always-relink-the-port.patch create mode 100644 queue-4.9/tty-link-tty-and-port-before-configuring-it-as-console.patch create mode 100644 queue-4.9/usb-musb-disable-pullup-at-init.patch create mode 100644 queue-4.9/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch create mode 100644 queue-4.9/usb-musb-fix-idling-for-suspend-after-disconnect-interrupt.patch create mode 100644 queue-4.9/usb-serial-option-add-zlp-support-for-0x1bc7-0x9010.patch diff --git a/queue-4.9/can-can_dropped_invalid_skb-ensure-an-initialized-headroom-in-outgoing-can-sk_buffs.patch b/queue-4.9/can-can_dropped_invalid_skb-ensure-an-initialized-headroom-in-outgoing-can-sk_buffs.patch new file mode 100644 index 00000000000..5db87adabb0 --- /dev/null +++ b/queue-4.9/can-can_dropped_invalid_skb-ensure-an-initialized-headroom-in-outgoing-can-sk_buffs.patch @@ -0,0 +1,88 @@ +From e7153bf70c3496bac00e7e4f395bb8d8394ac0ea Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Sat, 7 Dec 2019 19:34:18 +0100 +Subject: can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs + +From: Oliver Hartkopp + +commit e7153bf70c3496bac00e7e4f395bb8d8394ac0ea upstream. + +KMSAN sysbot detected a read access to an untinitialized value in the +headroom of an outgoing CAN related sk_buff. When using CAN sockets this +area is filled appropriately - but when using a packet socket this +initialization is missing. + +The problematic read access occurs in the CAN receive path which can +only be triggered when the sk_buff is sent through a (virtual) CAN +interface. So we check in the sending path whether we need to perform +the missing initializations. + +Fixes: d3b58c47d330d ("can: replace timestamp as unique skb attribute") +Reported-by: syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com +Signed-off-by: Oliver Hartkopp +Tested-by: Oliver Hartkopp +Cc: linux-stable # >= v4.1 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/can/dev.h | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/include/linux/can/dev.h ++++ b/include/linux/can/dev.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -81,6 +82,36 @@ struct can_priv { + #define get_can_dlc(i) (min_t(__u8, (i), CAN_MAX_DLC)) + #define get_canfd_dlc(i) (min_t(__u8, (i), CANFD_MAX_DLC)) + ++/* Check for outgoing skbs that have not been created by the CAN subsystem */ ++static inline bool can_skb_headroom_valid(struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ /* af_packet creates a headroom of HH_DATA_MOD bytes which is fine */ ++ if (WARN_ON_ONCE(skb_headroom(skb) < sizeof(struct can_skb_priv))) ++ return false; ++ ++ /* af_packet does not apply CAN skb specific settings */ ++ if (skb->ip_summed == CHECKSUM_NONE) { ++ /* init headroom */ ++ can_skb_prv(skb)->ifindex = dev->ifindex; ++ can_skb_prv(skb)->skbcnt = 0; ++ ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ++ /* preform proper loopback on capable devices */ ++ if (dev->flags & IFF_ECHO) ++ skb->pkt_type = PACKET_LOOPBACK; ++ else ++ skb->pkt_type = PACKET_HOST; ++ ++ skb_reset_mac_header(skb); ++ skb_reset_network_header(skb); ++ skb_reset_transport_header(skb); ++ } ++ ++ return true; ++} ++ + /* Drop a given socketbuffer if it does not contain a valid CAN frame. */ + static inline bool can_dropped_invalid_skb(struct net_device *dev, + struct sk_buff *skb) +@@ -98,6 +129,9 @@ static inline bool can_dropped_invalid_s + } else + goto inval_skb; + ++ if (!can_skb_headroom_valid(dev, skb)) ++ goto inval_skb; ++ + return false; + + inval_skb: diff --git a/queue-4.9/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch b/queue-4.9/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch new file mode 100644 index 00000000000..1414359df79 --- /dev/null +++ b/queue-4.9/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch @@ -0,0 +1,42 @@ +From 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:32:31 +0100 +Subject: can: gs_usb: gs_usb_probe(): use descriptors of current altsetting + +From: Johan Hovold + +commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream. + +Make sure to always use the descriptors of the current alternate setting +to avoid future issues when accessing fields that may differ between +settings. + +Signed-off-by: Johan Hovold +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -927,7 +927,7 @@ static int gs_usb_probe(struct usb_inter + GS_USB_BREQ_HOST_FORMAT, + USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, + 1, +- intf->altsetting[0].desc.bInterfaceNumber, ++ intf->cur_altsetting->desc.bInterfaceNumber, + hconf, + sizeof(*hconf), + 1000); +@@ -950,7 +950,7 @@ static int gs_usb_probe(struct usb_inter + GS_USB_BREQ_DEVICE_CONFIG, + USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, + 1, +- intf->altsetting[0].desc.bInterfaceNumber, ++ intf->cur_altsetting->desc.bInterfaceNumber, + dconf, + sizeof(*dconf), + 1000); diff --git a/queue-4.9/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch b/queue-4.9/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch new file mode 100644 index 00000000000..49d88043e18 --- /dev/null +++ b/queue-4.9/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch @@ -0,0 +1,75 @@ +From 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 Mon Sep 17 00:00:00 2001 +From: Florian Faber +Date: Thu, 26 Dec 2019 19:51:24 +0100 +Subject: can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode + +From: Florian Faber + +commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream. + +Under load, the RX side of the mscan driver can get stuck while TX still +works. Restarting the interface locks up the system. This behaviour +could be reproduced reliably on a MPC5121e based system. + +The patch fixes the return value of the NAPI polling function (should be +the number of processed packets, not constant 1) and the condition under +which IRQs are enabled again after polling is finished. + +With this patch, no more lockups were observed over a test period of ten +days. + +Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan") +Signed-off-by: Florian Faber +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/mscan/mscan.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/drivers/net/can/mscan/mscan.c ++++ b/drivers/net/can/mscan/mscan.c +@@ -392,13 +392,12 @@ static int mscan_rx_poll(struct napi_str + struct net_device *dev = napi->dev; + struct mscan_regs __iomem *regs = priv->reg_base; + struct net_device_stats *stats = &dev->stats; +- int npackets = 0; +- int ret = 1; ++ int work_done = 0; + struct sk_buff *skb; + struct can_frame *frame; + u8 canrflg; + +- while (npackets < quota) { ++ while (work_done < quota) { + canrflg = in_8(®s->canrflg); + if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF))) + break; +@@ -419,18 +418,18 @@ static int mscan_rx_poll(struct napi_str + + stats->rx_packets++; + stats->rx_bytes += frame->can_dlc; +- npackets++; ++ work_done++; + netif_receive_skb(skb); + } + +- if (!(in_8(®s->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) { +- napi_complete(&priv->napi); +- clear_bit(F_RX_PROGRESS, &priv->flags); +- if (priv->can.state < CAN_STATE_BUS_OFF) +- out_8(®s->canrier, priv->shadow_canrier); +- ret = 0; ++ if (work_done < quota) { ++ if (likely(napi_complete_done(&priv->napi, work_done))) { ++ clear_bit(F_RX_PROGRESS, &priv->flags); ++ if (priv->can.state < CAN_STATE_BUS_OFF) ++ out_8(®s->canrier, priv->shadow_canrier); ++ } + } +- return ret; ++ return work_done; + } + + static irqreturn_t mscan_isr(int irq, void *dev_id) diff --git a/queue-4.9/series b/queue-4.9/series index a14ebd95291..9b474550558 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,3 +10,15 @@ hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch hid-hid-input-clear-unmapped-usages.patch input-add-safety-guards-to-input_set_keycode.patch drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch +can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch +can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch +can-can_dropped_invalid_skb-ensure-an-initialized-headroom-in-outgoing-can-sk_buffs.patch +staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch +usb-serial-option-add-zlp-support-for-0x1bc7-0x9010.patch +usb-musb-fix-idling-for-suspend-after-disconnect-interrupt.patch +usb-musb-disable-pullup-at-init.patch +usb-musb-dma-correct-parameter-passed-to-irq-handler.patch +staging-comedi-adv_pci1710-fix-ai-channels-16-31-for-pci-1713.patch +staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch +tty-link-tty-and-port-before-configuring-it-as-console.patch +tty-always-relink-the-port.patch diff --git a/queue-4.9/staging-comedi-adv_pci1710-fix-ai-channels-16-31-for-pci-1713.patch b/queue-4.9/staging-comedi-adv_pci1710-fix-ai-channels-16-31-for-pci-1713.patch new file mode 100644 index 00000000000..2a522219579 --- /dev/null +++ b/queue-4.9/staging-comedi-adv_pci1710-fix-ai-channels-16-31-for-pci-1713.patch @@ -0,0 +1,41 @@ +From a9d3a9cedc1330c720e0ddde1978a8e7771da5ab Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 27 Dec 2019 17:00:54 +0000 +Subject: staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 + +From: Ian Abbott + +commit a9d3a9cedc1330c720e0ddde1978a8e7771da5ab upstream. + +The Advantech PCI-1713 has 32 analog input channels, but an incorrect +bit-mask in the definition of the `PCI171X_MUX_CHANH(x)` and +PCI171X_MUX_CHANL(x)` macros is causing channels 16 to 31 to be aliases +of channels 0 to 15. Change the bit-mask value from 0xf to 0xff to fix +it. Note that the channel numbers will have been range checked already, +so the bit-mask isn't really needed. + +Fixes: 92c65e5553ed ("staging: comedi: adv_pci1710: define the mux control register bits") +Reported-by: Dmytro Fil +Cc: # v4.5+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20191227170054.32051-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/adv_pci1710.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/adv_pci1710.c ++++ b/drivers/staging/comedi/drivers/adv_pci1710.c +@@ -45,8 +45,8 @@ + #define PCI171X_RANGE_UNI BIT(4) + #define PCI171X_RANGE_GAIN(x) (((x) & 0x7) << 0) + #define PCI171X_MUX_REG 0x04 /* W: A/D multiplexor control */ +-#define PCI171X_MUX_CHANH(x) (((x) & 0xf) << 8) +-#define PCI171X_MUX_CHANL(x) (((x) & 0xf) << 0) ++#define PCI171X_MUX_CHANH(x) (((x) & 0xff) << 8) ++#define PCI171X_MUX_CHANL(x) (((x) & 0xff) << 0) + #define PCI171X_MUX_CHAN(x) (PCI171X_MUX_CHANH(x) | PCI171X_MUX_CHANL(x)) + #define PCI171X_STATUS_REG 0x06 /* R: status register */ + #define PCI171X_STATUS_IRQ BIT(11) /* 1=IRQ occurred */ diff --git a/queue-4.9/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch b/queue-4.9/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch new file mode 100644 index 00000000000..694865b8cd5 --- /dev/null +++ b/queue-4.9/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch @@ -0,0 +1,32 @@ +From 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a Mon Sep 17 00:00:00 2001 +From: Michael Straube +Date: Sat, 28 Dec 2019 15:37:25 +0100 +Subject: staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 + +From: Michael Straube + +commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream. + +This device was added to the stand-alone driver on github. +Add it to the staging driver as well. + +Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8 +Signed-off-by: Michael Straube +Cc: stable +Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -45,6 +45,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ + {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ ++ {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ diff --git a/queue-4.9/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch b/queue-4.9/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch new file mode 100644 index 00000000000..384c80e3604 --- /dev/null +++ b/queue-4.9/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch @@ -0,0 +1,55 @@ +From c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Fri, 20 Dec 2019 21:15:59 +0000 +Subject: staging: vt6656: set usb_set_intfdata on driver fail. + +From: Malcolm Priestley + +commit c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 upstream. + +intfdata will contain stale pointer when the device is detached after +failed initialization when referenced in vt6656_disconnect + +Provide driver access to it here and NULL it. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/6de448d7-d833-ef2e-dd7b-3ef9992fee0e@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/device.h | 1 + + drivers/staging/vt6656/main_usb.c | 1 + + drivers/staging/vt6656/wcmd.c | 1 + + 3 files changed, 3 insertions(+) + +--- a/drivers/staging/vt6656/device.h ++++ b/drivers/staging/vt6656/device.h +@@ -269,6 +269,7 @@ struct vnt_private { + u8 mac_hw; + /* netdev */ + struct usb_device *usb; ++ struct usb_interface *intf; + + u64 tsf_time; + u8 rx_rate; +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -972,6 +972,7 @@ vt6656_probe(struct usb_interface *intf, + priv = hw->priv; + priv->hw = hw; + priv->usb = udev; ++ priv->intf = intf; + + vnt_set_options(priv); + +--- a/drivers/staging/vt6656/wcmd.c ++++ b/drivers/staging/vt6656/wcmd.c +@@ -110,6 +110,7 @@ void vnt_run_command(struct work_struct + if (vnt_init(priv)) { + /* If fail all ends TODO retry */ + dev_err(&priv->usb->dev, "failed to start\n"); ++ usb_set_intfdata(priv->intf, NULL); + ieee80211_free_hw(priv->hw); + return; + } diff --git a/queue-4.9/tty-always-relink-the-port.patch b/queue-4.9/tty-always-relink-the-port.patch new file mode 100644 index 00000000000..02f1a600fec --- /dev/null +++ b/queue-4.9/tty-always-relink-the-port.patch @@ -0,0 +1,37 @@ +From 273f632912f1b24b642ba5b7eb5022e43a72f3b5 Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Fri, 27 Dec 2019 17:44:34 +0000 +Subject: tty: always relink the port + +From: Sudip Mukherjee + +commit 273f632912f1b24b642ba5b7eb5022e43a72f3b5 upstream. + +If the serial device is disconnected and reconnected, it re-enumerates +properly but does not link it. fwiw, linking means just saving the port +index, so allow it always as there is no harm in saving the same value +again even if it tries to relink with the same port. + +Fixes: fb2b90014d78 ("tty: link tty and port before configuring it as console") +Reported-by: Kenneth R. Crudup +Signed-off-by: Sudip Mukherjee +Cc: stable +Link: https://lore.kernel.org/r/20191227174434.12057-1-sudipm.mukherjee@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_port.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -48,8 +48,7 @@ void tty_port_link_device(struct tty_por + { + if (WARN_ON(index >= driver->num)) + return; +- if (!driver->ports[index]) +- driver->ports[index] = port; ++ driver->ports[index] = port; + } + EXPORT_SYMBOL_GPL(tty_port_link_device); + diff --git a/queue-4.9/tty-link-tty-and-port-before-configuring-it-as-console.patch b/queue-4.9/tty-link-tty-and-port-before-configuring-it-as-console.patch new file mode 100644 index 00000000000..a513d113cf9 --- /dev/null +++ b/queue-4.9/tty-link-tty-and-port-before-configuring-it-as-console.patch @@ -0,0 +1,69 @@ +From fb2b90014d782d80d7ebf663e50f96d8c507a73c Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Thu, 12 Dec 2019 13:16:02 +0000 +Subject: tty: link tty and port before configuring it as console + +From: Sudip Mukherjee + +commit fb2b90014d782d80d7ebf663e50f96d8c507a73c upstream. + +There seems to be a race condition in tty drivers and I could see on +many boot cycles a NULL pointer dereference as tty_init_dev() tries to +do 'tty->port->itty = tty' even though tty->port is NULL. +'tty->port' will be set by the driver and if the driver has not yet done +it before we open the tty device we can get to this situation. By adding +some extra debug prints, I noticed that: + +6.650130: uart_add_one_port +6.663849: register_console +6.664846: tty_open +6.674391: tty_init_dev +6.675456: tty_port_link_device + +uart_add_one_port() registers the console, as soon as it registers, the +userspace tries to use it and that leads to tty_open() but +uart_add_one_port() has not yet done tty_port_link_device() and so +tty->port is not yet configured when control reaches tty_init_dev(). + +Further look into the code and tty_port_link_device() is done by +uart_add_one_port(). After registering the console uart_add_one_port() +will call tty_port_register_device_attr_serdev() and +tty_port_link_device() is called from this. + +Call add tty_port_link_device() before uart_configure_port() is done and +add a check in tty_port_link_device() so that it only links the port if +it has not been done yet. + +Suggested-by: Jiri Slaby +Signed-off-by: Sudip Mukherjee +Cc: stable +Link: https://lore.kernel.org/r/20191212131602.29504-1-sudipm.mukherjee@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 1 + + drivers/tty/tty_port.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2795,6 +2795,7 @@ int uart_add_one_port(struct uart_driver + if (uport->cons && uport->dev) + of_console_check(uport->dev->of_node, uport->cons->name, uport->line); + ++ tty_port_link_device(port, drv->tty_driver, uport->line); + uart_configure_port(drv, state, uport); + + port->console = uart_console(uport); +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -48,7 +48,8 @@ void tty_port_link_device(struct tty_por + { + if (WARN_ON(index >= driver->num)) + return; +- driver->ports[index] = port; ++ if (!driver->ports[index]) ++ driver->ports[index] = port; + } + EXPORT_SYMBOL_GPL(tty_port_link_device); + diff --git a/queue-4.9/usb-musb-disable-pullup-at-init.patch b/queue-4.9/usb-musb-disable-pullup-at-init.patch new file mode 100644 index 00000000000..ae7e9e3b37d --- /dev/null +++ b/queue-4.9/usb-musb-disable-pullup-at-init.patch @@ -0,0 +1,37 @@ +From 96a0c12843109e5c4d5eb1e09d915fdd0ce31d25 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Tue, 7 Jan 2020 09:26:25 -0600 +Subject: usb: musb: Disable pullup at init + +From: Paul Cercueil + +commit 96a0c12843109e5c4d5eb1e09d915fdd0ce31d25 upstream. + +The pullup may be already enabled before the driver is initialized. This +happens for instance on JZ4740. + +It has to be disabled at init time, as we cannot guarantee that a gadget +driver will be bound to the UDC. + +Signed-off-by: Paul Cercueil +Suggested-by: Bin Liu +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20200107152625.857-3-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -2317,6 +2317,9 @@ musb_init_controller(struct device *dev, + musb_platform_disable(musb); + musb_generic_disable(musb); + ++ /* MUSB_POWER_SOFTCONN might be already set, JZ4740 does this. */ ++ musb_writeb(musb->mregs, MUSB_POWER, 0); ++ + /* Init IRQ workqueue before request_irq */ + INIT_DELAYED_WORK(&musb->irq_work, musb_irq_work); + INIT_DELAYED_WORK(&musb->deassert_reset_work, musb_deassert_reset); diff --git a/queue-4.9/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch b/queue-4.9/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch new file mode 100644 index 00000000000..9c2de4e4e53 --- /dev/null +++ b/queue-4.9/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch @@ -0,0 +1,35 @@ +From c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 16 Dec 2019 10:18:43 -0600 +Subject: usb: musb: dma: Correct parameter passed to IRQ handler + +From: Paul Cercueil + +commit c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 upstream. + +The IRQ handler was passed a pointer to a struct dma_controller, but the +argument was then casted to a pointer to a struct musb_dma_controller. + +Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()") +Signed-off-by: Paul Cercueil +Tested-by: Artur Rojek +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musbhsdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/musb/musbhsdma.c ++++ b/drivers/usb/musb/musbhsdma.c +@@ -399,7 +399,7 @@ struct dma_controller *musbhs_dma_contro + controller->controller.channel_abort = dma_channel_abort; + + if (request_irq(irq, dma_controller_irq, 0, +- dev_name(musb->controller), &controller->controller)) { ++ dev_name(musb->controller), controller)) { + dev_err(dev, "request_irq %d failed!\n", irq); + musb_dma_controller_destroy(&controller->controller); + diff --git a/queue-4.9/usb-musb-fix-idling-for-suspend-after-disconnect-interrupt.patch b/queue-4.9/usb-musb-fix-idling-for-suspend-after-disconnect-interrupt.patch new file mode 100644 index 00000000000..34f47d16a93 --- /dev/null +++ b/queue-4.9/usb-musb-fix-idling-for-suspend-after-disconnect-interrupt.patch @@ -0,0 +1,62 @@ +From 5fbf7a2534703fd71159d3d71504b0ad01b43394 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Tue, 7 Jan 2020 09:26:24 -0600 +Subject: usb: musb: fix idling for suspend after disconnect interrupt + +From: Tony Lindgren + +commit 5fbf7a2534703fd71159d3d71504b0ad01b43394 upstream. + +When disconnected as USB B-device, suspend interrupt should come before +diconnect interrupt, because the DP/DM pins are shorter than the +VBUS/GND pins on the USB connectors. But we sometimes get a suspend +interrupt after disconnect interrupt. In that case we have devctl set to +99 with VBUS still valid and musb_pm_runtime_check_session() wrongly +thinks we have an active session. We have no other interrupts after +disconnect coming in this case at least with the omap2430 glue. + +Let's fix the issue by checking the interrupt status again with +delayed work for the devctl 99 case. In the suspend after disconnect +case the devctl session bit has cleared by then and musb can idle. +For a typical USB B-device connect case we just continue with normal +interrupts. + +Fixes: 467d5c980709 ("usb: musb: Implement session bit based runtime PM for musb-core") + +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Cc: stable@vger.kernel.org +Signed-off-by: Tony Lindgren +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20200107152625.857-2-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1832,6 +1832,9 @@ static const struct attribute_group musb + #define MUSB_QUIRK_B_INVALID_VBUS_91 (MUSB_DEVCTL_BDEVICE | \ + (2 << MUSB_DEVCTL_VBUS_SHIFT) | \ + MUSB_DEVCTL_SESSION) ++#define MUSB_QUIRK_B_DISCONNECT_99 (MUSB_DEVCTL_BDEVICE | \ ++ (3 << MUSB_DEVCTL_VBUS_SHIFT) | \ ++ MUSB_DEVCTL_SESSION) + #define MUSB_QUIRK_A_DISCONNECT_19 ((3 << MUSB_DEVCTL_VBUS_SHIFT) | \ + MUSB_DEVCTL_SESSION) + +@@ -1854,6 +1857,11 @@ static void musb_pm_runtime_check_sessio + s = MUSB_DEVCTL_FSDEV | MUSB_DEVCTL_LSDEV | + MUSB_DEVCTL_HR; + switch (devctl & ~s) { ++ case MUSB_QUIRK_B_DISCONNECT_99: ++ musb_dbg(musb, "Poll devctl in case of suspend after disconnect\n"); ++ schedule_delayed_work(&musb->irq_work, ++ msecs_to_jiffies(1000)); ++ break; + case MUSB_QUIRK_B_INVALID_VBUS_91: + if (musb->quirk_retries--) { + musb_dbg(musb, diff --git a/queue-4.9/usb-serial-option-add-zlp-support-for-0x1bc7-0x9010.patch b/queue-4.9/usb-serial-option-add-zlp-support-for-0x1bc7-0x9010.patch new file mode 100644 index 00000000000..15fa57c4424 --- /dev/null +++ b/queue-4.9/usb-serial-option-add-zlp-support-for-0x1bc7-0x9010.patch @@ -0,0 +1,85 @@ +From 2438c3a19dec5e98905fd3ffcc2f24716aceda6b Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Thu, 19 Dec 2019 11:07:07 +0100 +Subject: USB: serial: option: add ZLP support for 0x1bc7/0x9010 + +From: Daniele Palmas + +commit 2438c3a19dec5e98905fd3ffcc2f24716aceda6b upstream. + +Telit FN980 flashing device 0x1bc7/0x9010 requires zero packet +to be sent if out data size is is equal to the endpoint max size. + +Signed-off-by: Daniele Palmas +[ johan: switch operands in conditional ] +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 8 ++++++++ + drivers/usb/serial/usb-wwan.h | 1 + + drivers/usb/serial/usb_wwan.c | 4 ++++ + 3 files changed, 13 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -566,6 +566,9 @@ static void option_instat_callback(struc + /* Interface is reserved */ + #define RSVD(ifnum) ((BIT(ifnum) & 0xff) << 0) + ++/* Device needs ZLP */ ++#define ZLP BIT(17) ++ + + static const struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, +@@ -1193,6 +1196,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ + .driver_info = NCTRL(0) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, 0x9010), /* Telit SBL FN980 flashing device */ ++ .driver_info = NCTRL(0) | ZLP }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) }, +@@ -2097,6 +2102,9 @@ static int option_attach(struct usb_seri + if (!(device_flags & NCTRL(iface_desc->bInterfaceNumber))) + data->use_send_setup = 1; + ++ if (device_flags & ZLP) ++ data->use_zlp = 1; ++ + spin_lock_init(&data->susp_lock); + + usb_set_serial_data(serial, data); +--- a/drivers/usb/serial/usb-wwan.h ++++ b/drivers/usb/serial/usb-wwan.h +@@ -35,6 +35,7 @@ struct usb_wwan_intf_private { + spinlock_t susp_lock; + unsigned int suspended:1; + unsigned int use_send_setup:1; ++ unsigned int use_zlp:1; + int in_flight; + unsigned int open_ports; + void *private; +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -495,6 +495,7 @@ static struct urb *usb_wwan_setup_urb(st + void (*callback) (struct urb *)) + { + struct usb_serial *serial = port->serial; ++ struct usb_wwan_intf_private *intfdata = usb_get_serial_data(serial); + struct urb *urb; + + urb = usb_alloc_urb(0, GFP_KERNEL); /* No ISO */ +@@ -505,6 +506,9 @@ static struct urb *usb_wwan_setup_urb(st + usb_sndbulkpipe(serial->dev, endpoint) | dir, + buf, len, callback, ctx); + ++ if (intfdata->use_zlp && dir == USB_DIR_OUT) ++ urb->transfer_flags |= URB_ZERO_PACKET; ++ + return urb; + } + -- 2.47.3