From fb94a4dd32a7cd49221c16ac3f6f30be83a98498 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 12 Jul 2019 10:59:08 +0200 Subject: [PATCH] 4.19-stable patches added patches: binder-fix-memory-leak-in-error-path.patch drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch hid-add-another-primax-pixart-oem-mouse-quirk.patch lkdtm-support-llvm-objcopy.patch p54usb-fix-race-between-disconnect-and-firmware-loading.patch revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch --- ...binder-fix-memory-leak-in-error-path.patch | 43 +++++ ...b-typec-tps6598x.c-fix-4cc-cmd-write.patch | 45 +++++ ...-typec-tps6598x.c-fix-portinfo-width.patch | 33 ++++ ...nother-primax-pixart-oem-mouse-quirk.patch | 46 +++++ queue-4.19/lkdtm-support-llvm-objcopy.patch | 60 ++++++ ...ween-disconnect-and-firmware-loading.patch | 174 ++++++++++++++++++ ...e-rx-fifo-if-interrupts-are-disabled.patch | 39 ++++ queue-4.19/series | 14 ++ ...-fix-null-pointer-deref-on-interrupt.patch | 45 +++++ ...ix-a-null-pointer-deref-on-interrupt.patch | 50 +++++ ...-ahb-idle-timeout-in-dwc2_core_reset.patch | 43 +++++ ...ween-gether_disconnect-and-rx_submit.patch | 50 +++++ ...nd-for-a-race-condition-of-workqueue.patch | 129 +++++++++++++ ...rial-ftdi_sio-add-id-for-isodebug-v1.patch | 44 +++++ ...upport-for-gosuncn-me3630-rndis-mode.patch | 46 +++++ 15 files changed, 861 insertions(+) create mode 100644 queue-4.19/binder-fix-memory-leak-in-error-path.patch create mode 100644 queue-4.19/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch create mode 100644 queue-4.19/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch create mode 100644 queue-4.19/hid-add-another-primax-pixart-oem-mouse-quirk.patch create mode 100644 queue-4.19/lkdtm-support-llvm-objcopy.patch create mode 100644 queue-4.19/p54usb-fix-race-between-disconnect-and-firmware-loading.patch create mode 100644 queue-4.19/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch create mode 100644 queue-4.19/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch create mode 100644 queue-4.19/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch create mode 100644 queue-4.19/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch create mode 100644 queue-4.19/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch create mode 100644 queue-4.19/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch create mode 100644 queue-4.19/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch create mode 100644 queue-4.19/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch diff --git a/queue-4.19/binder-fix-memory-leak-in-error-path.patch b/queue-4.19/binder-fix-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..c751b21aa9a --- /dev/null +++ b/queue-4.19/binder-fix-memory-leak-in-error-path.patch @@ -0,0 +1,43 @@ +From 1909a671dbc3606685b1daf8b22a16f65ea7edda Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 21 Jun 2019 10:54:15 -0700 +Subject: binder: fix memory leak in error path + +From: Todd Kjos + +commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. + +syzkallar found a 32-byte memory leak in a rarely executed error +case. The transaction complete work item was not freed if put_user() +failed when writing the BR_TRANSACTION_COMPLETE to the user command +buffer. Fixed by freeing it before put_user() is called. + +Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com +Signed-off-by: Todd Kjos +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -3936,6 +3936,8 @@ retry: + case BINDER_WORK_TRANSACTION_COMPLETE: { + binder_inner_proc_unlock(proc); + cmd = BR_TRANSACTION_COMPLETE; ++ kfree(w); ++ binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); + if (put_user(cmd, (uint32_t __user *)ptr)) + return -EFAULT; + ptr += sizeof(uint32_t); +@@ -3944,8 +3946,6 @@ retry: + binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, + "%d:%d BR_TRANSACTION_COMPLETE\n", + proc->pid, thread->pid); +- kfree(w); +- binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); + } break; + case BINDER_WORK_NODE: { + struct binder_node *node = container_of(w, struct binder_node, work); diff --git a/queue-4.19/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch b/queue-4.19/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch new file mode 100644 index 00000000000..011944b288c --- /dev/null +++ b/queue-4.19/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch @@ -0,0 +1,45 @@ +From 2681795b5e7a5bf336537661010072f4c22cea31 Mon Sep 17 00:00:00 2001 +From: Nikolaus Voss +Date: Fri, 28 Jun 2019 11:01:09 +0200 +Subject: drivers/usb/typec/tps6598x.c: fix 4CC cmd write + +From: Nikolaus Voss + +commit 2681795b5e7a5bf336537661010072f4c22cea31 upstream. + +Writing 4CC commands with tps6598x_write_4cc() already has +a pointer arg, don't reference it when using as arg to +tps6598x_block_write(). Correcting this enforces the constness +of the pointer to propagate to tps6598x_block_write(), so add +the const qualifier there to avoid the warning. + +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Signed-off-by: Nikolaus Voss +Acked-by: Heikki Krogerus +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tps6598x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -111,7 +111,7 @@ tps6598x_block_read(struct tps6598x *tps + } + + static int tps6598x_block_write(struct tps6598x *tps, u8 reg, +- void *val, size_t len) ++ const void *val, size_t len) + { + u8 data[TPS_MAX_LEN + 1]; + +@@ -157,7 +157,7 @@ static inline int tps6598x_write64(struc + static inline int + tps6598x_write_4cc(struct tps6598x *tps, u8 reg, const char *val) + { +- return tps6598x_block_write(tps, reg, &val, sizeof(u32)); ++ return tps6598x_block_write(tps, reg, val, 4); + } + + static int tps6598x_read_partner_identity(struct tps6598x *tps) diff --git a/queue-4.19/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch b/queue-4.19/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch new file mode 100644 index 00000000000..e0af7f92fbb --- /dev/null +++ b/queue-4.19/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch @@ -0,0 +1,33 @@ +From 05da75fc651138e51ff74ace97174349910463f5 Mon Sep 17 00:00:00 2001 +From: Nikolaus Voss +Date: Fri, 28 Jun 2019 11:01:08 +0200 +Subject: drivers/usb/typec/tps6598x.c: fix portinfo width + +From: Nikolaus Voss + +commit 05da75fc651138e51ff74ace97174349910463f5 upstream. + +Portinfo bit field is 3 bits wide, not 2 bits. This led to +a wrong driver configuration for some tps6598x configurations. + +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Signed-off-by: Nikolaus Voss +Acked-by: Heikki Krogerus +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tps6598x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -39,7 +39,7 @@ + #define TPS_STATUS_VCONN(s) (!!((s) & BIT(7))) + + /* TPS_REG_SYSTEM_CONF bits */ +-#define TPS_SYSCONF_PORTINFO(c) ((c) & 3) ++#define TPS_SYSCONF_PORTINFO(c) ((c) & 7) + + enum { + TPS_PORTINFO_SINK, diff --git a/queue-4.19/hid-add-another-primax-pixart-oem-mouse-quirk.patch b/queue-4.19/hid-add-another-primax-pixart-oem-mouse-quirk.patch new file mode 100644 index 00000000000..94a1347b654 --- /dev/null +++ b/queue-4.19/hid-add-another-primax-pixart-oem-mouse-quirk.patch @@ -0,0 +1,46 @@ +From 4c12954965fdf33d8ae3883c1931fc29ca023cfb Mon Sep 17 00:00:00 2001 +From: Sebastian Parschauer +Date: Mon, 1 Jul 2019 07:48:17 +0200 +Subject: HID: Add another Primax PIXART OEM mouse quirk + +From: Sebastian Parschauer + +commit 4c12954965fdf33d8ae3883c1931fc29ca023cfb upstream. + +The PixArt OEM mice are known for disconnecting every minute in +runlevel 1 or 3 if they are not always polled. So add quirk +ALWAYS_POLL for this Alienware branded Primax mouse as well. + +Daniel Schepler (@dschepler) reported and tested the quirk. +Reference: https://github.com/sriemer/fix-linux-mouse/issues/15 + +Signed-off-by: Sebastian Parschauer +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1212,6 +1212,7 @@ + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f ++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65 0x4d65 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22 + + +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -131,6 +131,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET }, diff --git a/queue-4.19/lkdtm-support-llvm-objcopy.patch b/queue-4.19/lkdtm-support-llvm-objcopy.patch new file mode 100644 index 00000000000..45b446c1b23 --- /dev/null +++ b/queue-4.19/lkdtm-support-llvm-objcopy.patch @@ -0,0 +1,60 @@ +From e9e08a07385e08f1a7f85c5d1e345c21c9564963 Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Wed, 15 May 2019 11:24:41 -0700 +Subject: lkdtm: support llvm-objcopy + +From: Nick Desaulniers + +commit e9e08a07385e08f1a7f85c5d1e345c21c9564963 upstream. + +With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors: +llvm-objcopy: error: --set-section-flags=.text conflicts with +--rename-section=.text=.rodata + +Rather than support setting flags then renaming sections vs renaming +then setting flags, it's simpler to just change both at the same time +via --rename-section. Adding the load flag is required for GNU objcopy +to mark .rodata Type as PROGBITS after the rename. + +This can be verified with: +$ readelf -S drivers/misc/lkdtm/rodata_objcopy.o +... +Section Headers: + [Nr] Name Type Address Offset + Size EntSize Flags Link Info Align +... + [ 1] .rodata PROGBITS 0000000000000000 00000040 + 0000000000000004 0000000000000000 A 0 0 4 +... + +Which shows that .text is now renamed .rodata, the alloc flag A is set, +the type is PROGBITS, and the section is not flagged as writeable W. + +Cc: stable@vger.kernel.org +Link: https://sourceware.org/bugzilla/show_bug.cgi?id=24554 +Link: https://github.com/ClangBuiltLinux/linux/issues/448 +Reported-by: Nathan Chancellor +Suggested-by: Alan Modra +Suggested-by: Jordan Rupprect +Suggested-by: Kees Cook +Acked-by: Kees Cook +Reviewed-by: Nathan Chancellor +Signed-off-by: Nick Desaulniers +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/lkdtm/Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/lkdtm/Makefile ++++ b/drivers/misc/lkdtm/Makefile +@@ -13,8 +13,7 @@ KCOV_INSTRUMENT_rodata.o := n + + OBJCOPYFLAGS := + OBJCOPYFLAGS_rodata_objcopy.o := \ +- --set-section-flags .text=alloc,readonly \ +- --rename-section .text=.rodata ++ --rename-section .text=.rodata,alloc,readonly,load + targets += rodata.o rodata_objcopy.o + $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE + $(call if_changed,objcopy) diff --git a/queue-4.19/p54usb-fix-race-between-disconnect-and-firmware-loading.patch b/queue-4.19/p54usb-fix-race-between-disconnect-and-firmware-loading.patch new file mode 100644 index 00000000000..f289c0d42d7 --- /dev/null +++ b/queue-4.19/p54usb-fix-race-between-disconnect-and-firmware-loading.patch @@ -0,0 +1,174 @@ +From 6e41e2257f1094acc37618bf6c856115374c6922 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 20 May 2019 10:44:21 -0400 +Subject: p54usb: Fix race between disconnect and firmware loading + +From: Alan Stern + +commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream. + +The syzbot fuzzer found a bug in the p54 USB wireless driver. The +issue involves a race between disconnect and the firmware-loader +callback routine, and it has several aspects. + +One big problem is that when the firmware can't be loaded, the +callback routine tries to unbind the driver from the USB _device_ (by +calling device_release_driver) instead of from the USB _interface_ to +which it is actually bound (by calling usb_driver_release_interface). + +The race involves access to the private data structure. The driver's +disconnect handler waits for a completion that is signalled by the +firmware-loader callback routine. As soon as the completion is +signalled, you have to assume that the private data structure may have +been deallocated by the disconnect handler -- even if the firmware was +loaded without errors. However, the callback routine does access the +private data several times after that point. + +Another problem is that, in order to ensure that the USB device +structure hasn't been freed when the callback routine runs, the driver +takes a reference to it. This isn't good enough any more, because now +that the callback routine calls usb_driver_release_interface, it has +to ensure that the interface structure hasn't been freed. + +Finally, the driver takes an unnecessary reference to the USB device +structure in the probe function and drops the reference in the +disconnect handler. This extra reference doesn't accomplish anything, +because the USB core already guarantees that a device structure won't +be deallocated while a driver is still bound to any of its interfaces. + +To fix these problems, this patch makes the following changes: + + Call usb_driver_release_interface() rather than + device_release_driver(). + + Don't signal the completion until after the important + information has been copied out of the private data structure, + and don't refer to the private data at all thereafter. + + Lock udev (the interface's parent) before unbinding the driver + instead of locking udev->parent. + + During the firmware loading process, take a reference to the + USB interface instead of the USB device. + + Don't take an unnecessary reference to the device during probe + (and then don't drop it during disconnect). + +Signed-off-by: Alan Stern +Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com +CC: +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54usb.c | 43 ++++++++++++----------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +--- a/drivers/net/wireless/intersil/p54/p54usb.c ++++ b/drivers/net/wireless/intersil/p54/p54usb.c +@@ -33,6 +33,8 @@ MODULE_ALIAS("prism54usb"); + MODULE_FIRMWARE("isl3886usb"); + MODULE_FIRMWARE("isl3887usb"); + ++static struct usb_driver p54u_driver; ++ + /* + * Note: + * +@@ -921,9 +923,9 @@ static void p54u_load_firmware_cb(const + { + struct p54u_priv *priv = context; + struct usb_device *udev = priv->udev; ++ struct usb_interface *intf = priv->intf; + int err; + +- complete(&priv->fw_wait_load); + if (firmware) { + priv->fw = firmware; + err = p54u_start_ops(priv); +@@ -932,26 +934,22 @@ static void p54u_load_firmware_cb(const + dev_err(&udev->dev, "Firmware not found.\n"); + } + +- if (err) { +- struct device *parent = priv->udev->dev.parent; +- +- dev_err(&udev->dev, "failed to initialize device (%d)\n", err); +- +- if (parent) +- device_lock(parent); ++ complete(&priv->fw_wait_load); ++ /* ++ * At this point p54u_disconnect may have already freed ++ * the "priv" context. Do not use it anymore! ++ */ ++ priv = NULL; + +- device_release_driver(&udev->dev); +- /* +- * At this point p54u_disconnect has already freed +- * the "priv" context. Do not use it anymore! +- */ +- priv = NULL; ++ if (err) { ++ dev_err(&intf->dev, "failed to initialize device (%d)\n", err); + +- if (parent) +- device_unlock(parent); ++ usb_lock_device(udev); ++ usb_driver_release_interface(&p54u_driver, intf); ++ usb_unlock_device(udev); + } + +- usb_put_dev(udev); ++ usb_put_intf(intf); + } + + static int p54u_load_firmware(struct ieee80211_hw *dev, +@@ -972,14 +970,14 @@ static int p54u_load_firmware(struct iee + dev_info(&priv->udev->dev, "Loading firmware file %s\n", + p54u_fwlist[i].fw); + +- usb_get_dev(udev); ++ usb_get_intf(intf); + err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw, + device, GFP_KERNEL, priv, + p54u_load_firmware_cb); + if (err) { + dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s " + "(%d)!\n", p54u_fwlist[i].fw, err); +- usb_put_dev(udev); ++ usb_put_intf(intf); + } + + return err; +@@ -1011,8 +1009,6 @@ static int p54u_probe(struct usb_interfa + skb_queue_head_init(&priv->rx_queue); + init_usb_anchor(&priv->submitted); + +- usb_get_dev(udev); +- + /* really lazy and simple way of figuring out if we're a 3887 */ + /* TODO: should just stick the identification in the device table */ + i = intf->altsetting->desc.bNumEndpoints; +@@ -1053,10 +1049,8 @@ static int p54u_probe(struct usb_interfa + priv->upload_fw = p54u_upload_firmware_net2280; + } + err = p54u_load_firmware(dev, intf); +- if (err) { +- usb_put_dev(udev); ++ if (err) + p54_free_common(dev); +- } + return err; + } + +@@ -1072,7 +1066,6 @@ static void p54u_disconnect(struct usb_i + wait_for_completion(&priv->fw_wait_load); + p54_unregister_common(dev); + +- usb_put_dev(interface_to_usbdev(intf)); + release_firmware(priv->fw); + p54_free_common(dev); + } diff --git a/queue-4.19/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch b/queue-4.19/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch new file mode 100644 index 00000000000..d4430b68b37 --- /dev/null +++ b/queue-4.19/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch @@ -0,0 +1,39 @@ +From 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 Mon Sep 17 00:00:00 2001 +From: Oliver Barta +Date: Wed, 19 Jun 2019 10:16:39 +0200 +Subject: Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" + +From: Oliver Barta + +commit 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 upstream. + +This reverts commit 2e9fe539108320820016f78ca7704a7342788380. + +Reading LSR unconditionally but processing the error flags only if +UART_IIR_RDI bit was set before in IIR may lead to a loss of transmission +error information on UARTs where the transmission error flags are cleared +by a read of LSR. Information are lost in case an error is detected right +before the read of LSR while processing e.g. an UART_IIR_THRI interrupt. + +Signed-off-by: Oliver Barta +Reviewed-by: Andy Shevchenko +Fixes: 2e9fe5391083 ("serial: 8250: Don't service RX FIFO if interrupts are disabled") +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_port.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1869,8 +1869,7 @@ int serial8250_handle_irq(struct uart_po + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI) && +- iir & UART_IIR_RDI) { ++ if (status & (UART_LSR_DR | UART_LSR_BI)) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } diff --git a/queue-4.19/series b/queue-4.19/series index 96e9dd1f8a5..eb07a003042 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -66,3 +66,17 @@ documentation-add-section-about-cpu-vulnerabilities-for-spectre.patch documentation-admin-remove-the-vsyscall-native-documentation.patch mwifiex-abort-at-too-short-bss-descriptor-element.patch mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch +usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch +usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch +revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch +p54usb-fix-race-between-disconnect-and-firmware-loading.patch +usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch +usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch +usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch +drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch +drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch +staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch +staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch +hid-add-another-primax-pixart-oem-mouse-quirk.patch +lkdtm-support-llvm-objcopy.patch +binder-fix-memory-leak-in-error-path.patch diff --git a/queue-4.19/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch b/queue-4.19/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch new file mode 100644 index 00000000000..0da84a9e1b7 --- /dev/null +++ b/queue-4.19/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch @@ -0,0 +1,45 @@ +From 7379e6baeddf580d01feca650ec1ad508b6ea8ee Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 26 Jun 2019 14:17:39 +0100 +Subject: staging: comedi: amplc_pci230: fix null pointer deref on interrupt + +From: Ian Abbott + +commit 7379e6baeddf580d01feca650ec1ad508b6ea8ee upstream. + +The interrupt handler `pci230_interrupt()` causes a null pointer +dereference for a PCI260 card. There is no analog output subdevice for +a PCI260. The `dev->write_subdev` subdevice pointer and therefore the +`s_ao` subdevice pointer variable will be `NULL` for a PCI260. The +following call near the end of the interrupt handler results in the null +pointer dereference for a PCI260: + + comedi_handle_events(dev, s_ao); + +Fix it by only calling the above function if `s_ao` is valid. + +Note that the other uses of `s_ao` in the calls +`pci230_handle_ao_nofifo(dev, s_ao);` and `pci230_handle_ao_fifo(dev, +s_ao);` will never be reached for a PCI260, so they are safe. + +Fixes: 39064f23284c ("staging: comedi: amplc_pci230: use comedi_handle_events()") +Cc: # v3.19+ +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/amplc_pci230.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/amplc_pci230.c ++++ b/drivers/staging/comedi/drivers/amplc_pci230.c +@@ -2330,7 +2330,8 @@ static irqreturn_t pci230_interrupt(int + devpriv->intr_running = false; + spin_unlock_irqrestore(&devpriv->isr_spinlock, irqflags); + +- comedi_handle_events(dev, s_ao); ++ if (s_ao) ++ comedi_handle_events(dev, s_ao); + comedi_handle_events(dev, s_ai); + + return IRQ_HANDLED; diff --git a/queue-4.19/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch b/queue-4.19/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch new file mode 100644 index 00000000000..84e6d9eedd1 --- /dev/null +++ b/queue-4.19/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch @@ -0,0 +1,50 @@ +From b8336be66dec06bef518030a0df9847122053ec5 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 26 Jun 2019 14:18:04 +0100 +Subject: staging: comedi: dt282x: fix a null pointer deref on interrupt + +From: Ian Abbott + +commit b8336be66dec06bef518030a0df9847122053ec5 upstream. + +The interrupt handler `dt282x_interrupt()` causes a null pointer +dereference for those supported boards that have no analog output +support. For these boards, `dev->write_subdev` will be `NULL` and +therefore the `s_ao` subdevice pointer variable will be `NULL`. In that +case, the following call near the end of the interrupt handler results +in a null pointer dereference: + + comedi_handle_events(dev, s_ao); + +Fix it by only calling the above function if `s_ao` is valid. + +(There are other uses of `s_ao` by the interrupt handler that may or may +not be reached depending on values of hardware registers. Trust that +they are reliable for now.) + +Note: +commit 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()") +propagates an earlier error from +commit f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()"). + +Fixes: 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()") +Cc: # v3.19+ +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/dt282x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/dt282x.c ++++ b/drivers/staging/comedi/drivers/dt282x.c +@@ -557,7 +557,8 @@ static irqreturn_t dt282x_interrupt(int + } + #endif + comedi_handle_events(dev, s); +- comedi_handle_events(dev, s_ao); ++ if (s_ao) ++ comedi_handle_events(dev, s_ao); + + return IRQ_RETVAL(handled); + } diff --git a/queue-4.19/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch b/queue-4.19/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch new file mode 100644 index 00000000000..178d22b6e34 --- /dev/null +++ b/queue-4.19/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch @@ -0,0 +1,43 @@ +From dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Thu, 20 Jun 2019 19:50:22 +0200 +Subject: usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() + +From: Martin Blumenstingl + +commit dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 upstream. + +Use a 10000us AHB idle timeout in dwc2_core_reset() and make it +consistent with the other "wait for AHB master IDLE state" ocurrences. + +This fixes a problem for me where dwc2 would not want to initialize when +updating to 4.19 on a MIPS Lantiq VRX200 SoC. dwc2 worked fine with +4.14. +Testing on my board shows that it takes 180us until AHB master IDLE +state is signalled. The very old vendor driver for this SoC (ifxhcd) +used a 1 second timeout. +Use the same timeout that is used everywhere when polling for +GRSTCTL_AHBIDLE instead of using a timeout that "works for one board" +(180us in my case) to have consistent behavior across the dwc2 driver. + +Cc: linux-stable # 4.19+ +Acked-by: Minas Harutyunyan +Signed-off-by: Martin Blumenstingl +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/core.c ++++ b/drivers/usb/dwc2/core.c +@@ -531,7 +531,7 @@ int dwc2_core_reset(struct dwc2_hsotg *h + } + + /* Wait for AHB master IDLE state */ +- if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 50)) { ++ if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 10000)) { + dev_warn(hsotg->dev, "%s: HANG! AHB Idle timeout GRSTCTL GRSTCTL_AHBIDLE\n", + __func__); + return -EBUSY; diff --git a/queue-4.19/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch b/queue-4.19/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch new file mode 100644 index 00000000000..73ac1522728 --- /dev/null +++ b/queue-4.19/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch @@ -0,0 +1,50 @@ +From d29fcf7078bc8be2b6366cbd4418265b53c94fac Mon Sep 17 00:00:00 2001 +From: Kiruthika Varadarajan +Date: Tue, 18 Jun 2019 08:39:06 +0000 +Subject: usb: gadget: ether: Fix race between gether_disconnect and rx_submit + +From: Kiruthika Varadarajan + +commit d29fcf7078bc8be2b6366cbd4418265b53c94fac upstream. + +On spin lock release in rx_submit, gether_disconnect get a chance to +run, it makes port_usb NULL, rx_submit access NULL port USB, hence null +pointer crash. + +Fixed by releasing the lock in rx_submit after port_usb is used. + +Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core") +Cc: +Signed-off-by: Kiruthika Varadarajan +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/u_ether.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -186,11 +186,12 @@ rx_submit(struct eth_dev *dev, struct us + out = dev->port_usb->out_ep; + else + out = NULL; +- spin_unlock_irqrestore(&dev->lock, flags); + + if (!out) ++ { ++ spin_unlock_irqrestore(&dev->lock, flags); + return -ENOTCONN; +- ++ } + + /* Padding up to RX_EXTRA handles minor disagreements with host. + * Normally we use the USB "terminate on short read" convention; +@@ -214,6 +215,7 @@ rx_submit(struct eth_dev *dev, struct us + + if (dev->port_usb->is_fixed) + size = max_t(size_t, size, dev->port_usb->fixed_out_len); ++ spin_unlock_irqrestore(&dev->lock, flags); + + skb = __netdev_alloc_skb(dev->net, size + NET_IP_ALIGN, gfp_flags); + if (skb == NULL) { diff --git a/queue-4.19/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch b/queue-4.19/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch new file mode 100644 index 00000000000..5c43a5f5da1 --- /dev/null +++ b/queue-4.19/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch @@ -0,0 +1,129 @@ +From b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Wed, 26 Jun 2019 22:06:33 +0900 +Subject: usb: renesas_usbhs: add a workaround for a race condition of workqueue + +From: Yoshihiro Shimoda + +commit b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 upstream. + +The old commit 6e4b74e4690d ("usb: renesas: fix scheduling in atomic +context bug") fixed an atomic issue by using workqueue for the shdmac +dmaengine driver. However, this has a potential race condition issue +between the work pending and usbhsg_ep_free_request() in gadget mode. +When usbhsg_ep_free_request() is called while pending the queue, +since the work_struct will be freed and then the work handler is +called, kernel panic happens on process_one_work(). + +To fix the issue, if we could call cancel_work_sync() at somewhere +before the free request, it could be easy. However, +the usbhsg_ep_free_request() is called on atomic (e.g. f_ncm driver +calls free request via gether_disconnect()). + +For now, almost all users are having "USB-DMAC" and the DMAengine +driver can be used on atomic. So, this patch adds a workaround for +a race condition to call the DMAengine APIs without the workqueue. + +This means we still have TODO on shdmac environment (SH7724), but +since it doesn't have SMP, the race condition might not happen. + +Fixes: ab330cf3888d ("usb: renesas_usbhs: add support for USB-DMAC") +Cc: # v4.1+ +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -802,9 +802,8 @@ static int __usbhsf_dma_map_ctrl(struct + } + + static void usbhsf_dma_complete(void *arg); +-static void xfer_work(struct work_struct *work) ++static void usbhsf_dma_xfer_preparing(struct usbhs_pkt *pkt) + { +- struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); + struct usbhs_pipe *pipe = pkt->pipe; + struct usbhs_fifo *fifo; + struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); +@@ -812,12 +811,10 @@ static void xfer_work(struct work_struct + struct dma_chan *chan; + struct device *dev = usbhs_priv_to_dev(priv); + enum dma_transfer_direction dir; +- unsigned long flags; + +- usbhs_lock(priv, flags); + fifo = usbhs_pipe_to_fifo(pipe); + if (!fifo) +- goto xfer_work_end; ++ return; + + chan = usbhsf_dma_chan_get(fifo, pkt); + dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV; +@@ -826,7 +823,7 @@ static void xfer_work(struct work_struct + pkt->trans, dir, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + if (!desc) +- goto xfer_work_end; ++ return; + + desc->callback = usbhsf_dma_complete; + desc->callback_param = pipe; +@@ -834,7 +831,7 @@ static void xfer_work(struct work_struct + pkt->cookie = dmaengine_submit(desc); + if (pkt->cookie < 0) { + dev_err(dev, "Failed to submit dma descriptor\n"); +- goto xfer_work_end; ++ return; + } + + dev_dbg(dev, " %s %d (%d/ %d)\n", +@@ -845,8 +842,17 @@ static void xfer_work(struct work_struct + dma_async_issue_pending(chan); + usbhsf_dma_start(pipe, fifo); + usbhs_pipe_enable(pipe); ++} ++ ++static void xfer_work(struct work_struct *work) ++{ ++ struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); ++ struct usbhs_pipe *pipe = pkt->pipe; ++ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); ++ unsigned long flags; + +-xfer_work_end: ++ usbhs_lock(priv, flags); ++ usbhsf_dma_xfer_preparing(pkt); + usbhs_unlock(priv, flags); + } + +@@ -899,8 +905,13 @@ static int usbhsf_dma_prepare_push(struc + pkt->trans = len; + + usbhsf_tx_irq_ctrl(pipe, 0); +- INIT_WORK(&pkt->work, xfer_work); +- schedule_work(&pkt->work); ++ /* FIXME: Workaound for usb dmac that driver can be used in atomic */ ++ if (usbhs_get_dparam(priv, has_usb_dmac)) { ++ usbhsf_dma_xfer_preparing(pkt); ++ } else { ++ INIT_WORK(&pkt->work, xfer_work); ++ schedule_work(&pkt->work); ++ } + + return 0; + +@@ -1006,8 +1017,7 @@ static int usbhsf_dma_prepare_pop_with_u + + pkt->trans = pkt->length; + +- INIT_WORK(&pkt->work, xfer_work); +- schedule_work(&pkt->work); ++ usbhsf_dma_xfer_preparing(pkt); + + return 0; + diff --git a/queue-4.19/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch b/queue-4.19/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch new file mode 100644 index 00000000000..f25e7937fc2 --- /dev/null +++ b/queue-4.19/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch @@ -0,0 +1,44 @@ +From f8377eff548170e8ea8022c067a1fbdf9e1c46a8 Mon Sep 17 00:00:00 2001 +From: Andreas Fritiofson +Date: Fri, 28 Jun 2019 15:08:34 +0200 +Subject: USB: serial: ftdi_sio: add ID for isodebug v1 + +From: Andreas Fritiofson + +commit f8377eff548170e8ea8022c067a1fbdf9e1c46a8 upstream. + +This adds the vid:pid of the isodebug v1 isolated JTAG/SWD+UART. Only the +second channel is available for use as a serial port. + +Signed-off-by: Andreas Fritiofson +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1019,6 +1019,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, + /* EZPrototypes devices */ + { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, ++ { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1543,3 +1543,9 @@ + #define CHETCO_SEASMART_DISPLAY_PID 0xA5AD /* SeaSmart NMEA2000 Display */ + #define CHETCO_SEASMART_LITE_PID 0xA5AE /* SeaSmart Lite USB Adapter */ + #define CHETCO_SEASMART_ANALOG_PID 0xA5AF /* SeaSmart Analog Adapter */ ++ ++/* ++ * Unjo AB ++ */ ++#define UNJO_VID 0x22B7 ++#define UNJO_ISODEBUG_V1_PID 0x150D diff --git a/queue-4.19/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch b/queue-4.19/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch new file mode 100644 index 00000000000..03556decee3 --- /dev/null +++ b/queue-4.19/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch @@ -0,0 +1,46 @@ +From aed2a26283528fb69c38e414f649411aa48fb391 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= +Date: Wed, 19 Jun 2019 00:30:19 +0200 +Subject: USB: serial: option: add support for GosunCn ME3630 RNDIS mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jörgen Storvist + +commit aed2a26283528fb69c38e414f649411aa48fb391 upstream. + +Added USB IDs for GosunCn ME3630 cellular module in RNDIS mode. + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=03 Dev#= 18 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=0601 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber=b950269c +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host +I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + +Signed-off-by: Jörgen Storvist +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1343,6 +1343,7 @@ static const struct usb_device_id option + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0601, 0xff) }, /* GosunCn ZTE WeLink ME3630 (RNDIS mode) */ + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff), + .driver_info = RSVD(4) }, -- 2.47.3