From: Greg Kroah-Hartman Date: Wed, 16 Jul 2025 14:12:06 +0000 (+0200) Subject: drop a rcu and some usbtmc patches X-Git-Tag: v5.4.296~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60679523dd87bb3b9a19093322a8e32b4188be82;p=thirdparty%2Fkernel%2Fstable-queue.git drop a rcu and some usbtmc patches --- diff --git a/queue-5.10/series b/queue-5.10/series index 608e591353..ae31696991 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -18,9 +18,6 @@ alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch alsa-hda-add-new-pci-id-for-amd-gpu-display-hd-audio.patch ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch -usb-usbtmc-fix-reading-stale-status-byte.patch -usb-usbtmc-add-usbtmc_ioctl_get_stb.patch -usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch vmci-check-context-notify_page-after-call-to-get_use.patch vmci-fix-race-between-vmci_host_setup_notify-and-vmc.patch usb-typec-tcpci_maxim-fix-uninitialized-return-varia.patch diff --git a/queue-5.10/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch b/queue-5.10/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch deleted file mode 100644 index 4fedf15297..0000000000 --- a/queue-5.10/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 5ec45ce09425bdcde3031d74afeb448ec7783e44 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 15 Dec 2020 16:56:19 +0100 -Subject: USB: usbtmc: Add USBTMC_IOCTL_GET_STB - -From: Dave Penkler - -[ Upstream commit c9784e23c1020e63d6dba5e10ca8bf3d8b85c19c ] - -This new ioctl reads the status byte (STB) from the device and returns -the STB unmodified to the application. The srq_asserted bit is not taken -into account and not changed. - -This ioctl is useful to support non USBTMC-488 compliant devices. - -Tested-by: Jian-Wei Wu -Reviewed-by: Guido Kiener -Signed-off-by: Dave Penkler -Link: https://lore.kernel.org/r/20201215155621.9592-3-dpenkler@gmail.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: acb3dac2805d ("usb: usbtmc: Fix read_stb function and get_stb ioctl") -Signed-off-by: Sasha Levin ---- - drivers/usb/class/usbtmc.c | 6 ++++++ - include/uapi/linux/usb/tmc.h | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index bfd99d461f813..093040ea7e065 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -2173,6 +2173,12 @@ static long usbtmc_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - file_data->auto_abort = !!tmp_byte; - break; - -+ case USBTMC_IOCTL_GET_STB: -+ retval = usbtmc_get_stb(file_data, &tmp_byte); -+ if (retval > 0) -+ retval = put_user(tmp_byte, (__u8 __user *)arg); -+ break; -+ - case USBTMC_IOCTL_CANCEL_IO: - retval = usbtmc_ioctl_cancel_io(file_data); - break; -diff --git a/include/uapi/linux/usb/tmc.h b/include/uapi/linux/usb/tmc.h -index fdd4d88a7b95d..1e7878fe591f4 100644 ---- a/include/uapi/linux/usb/tmc.h -+++ b/include/uapi/linux/usb/tmc.h -@@ -102,6 +102,8 @@ struct usbtmc_message { - #define USBTMC_IOCTL_MSG_IN_ATTR _IOR(USBTMC_IOC_NR, 24, __u8) - #define USBTMC_IOCTL_AUTO_ABORT _IOW(USBTMC_IOC_NR, 25, __u8) - -+#define USBTMC_IOCTL_GET_STB _IOR(USBTMC_IOC_NR, 26, __u8) -+ - /* Cancel and cleanup asynchronous calls */ - #define USBTMC_IOCTL_CANCEL_IO _IO(USBTMC_IOC_NR, 35) - #define USBTMC_IOCTL_CLEANUP_IO _IO(USBTMC_IOC_NR, 36) --- -2.39.5 - diff --git a/queue-5.10/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch b/queue-5.10/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch deleted file mode 100644 index f7e22e27cf..0000000000 --- a/queue-5.10/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 9b826392006da06fa29322c4dd553af139bfa944 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 May 2025 14:16:55 +0200 -Subject: usb: usbtmc: Fix read_stb function and get_stb ioctl - -From: Dave Penkler - -[ Upstream commit acb3dac2805d3342ded7dbbd164add32bbfdf21c ] - -The usbtmc488_ioctl_read_stb function relied on a positive return from -usbtmc_get_stb to reset the srq condition in the driver. The -USBTMC_IOCTL_GET_STB case tested for a positive return to return the stb -to the user. - -Commit: ("usb: usbtmc: Fix erroneous get_stb ioctl -error returns") changed the return value of usbtmc_get_stb to 0 on -success instead of returning the value of usb_control_msg which is -positive in the normal case. This change caused the function -usbtmc488_ioctl_read_stb and the USBTMC_IOCTL_GET_STB ioctl to no -longer function correctly. - -Change the test in usbtmc488_ioctl_read_stb to test for failure -first and return the failure code immediately. -Change the test for the USBTMC_IOCTL_GET_STB ioctl to test for 0 -instead of a positive value. - -Fixes: cac01bd178d6 ("usb: usbtmc: Fix erroneous get_stb ioctl error returns") -Cc: stable@vger.kernel.org -Signed-off-by: Dave Penkler -Link: https://lore.kernel.org/r/20250521121656.18174-3-dpenkler@gmail.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/class/usbtmc.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index 093040ea7e065..fe1152e7053f4 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -565,14 +565,15 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - - rv = usbtmc_get_stb(file_data, &stb); - -- if (rv > 0) { -- srq_asserted = atomic_xchg(&file_data->srq_asserted, -- srq_asserted); -- if (srq_asserted) -- stb |= 0x40; /* Set RQS bit */ -+ if (rv < 0) -+ return rv; -+ -+ srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted); -+ if (srq_asserted) -+ stb |= 0x40; /* Set RQS bit */ -+ -+ rv = put_user(stb, (__u8 __user *)arg); - -- rv = put_user(stb, (__u8 __user *)arg); -- } - return rv; - - } -@@ -2175,7 +2176,7 @@ static long usbtmc_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - - case USBTMC_IOCTL_GET_STB: - retval = usbtmc_get_stb(file_data, &tmp_byte); -- if (retval > 0) -+ if (!retval) - retval = put_user(tmp_byte, (__u8 __user *)arg); - break; - --- -2.39.5 - diff --git a/queue-5.10/usb-usbtmc-fix-reading-stale-status-byte.patch b/queue-5.10/usb-usbtmc-fix-reading-stale-status-byte.patch deleted file mode 100644 index c4a068e9b9..0000000000 --- a/queue-5.10/usb-usbtmc-fix-reading-stale-status-byte.patch +++ /dev/null @@ -1,126 +0,0 @@ -From e729dd966dc7c2b933cc0e9aaf0e1d9f7a22735b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 15 Dec 2020 16:56:18 +0100 -Subject: USB: usbtmc: Fix reading stale status byte - -From: Dave Penkler - -[ Upstream commit 3c1037e2b6a94898f81ed1a68bea146a9db750a5 ] - -The ioctl USBTMC488_IOCTL_READ_STB either returns a cached status byte -(STB) sent by the device due to a service request (SRQ) condition or -the STB obtained from a query to the device with a READ_STATUS_BYTE -control message. - -When the query is interrupted by an SRQ message on the interrupt pipe, -the ioctl still returns the requested STB while the STB of the -out-of-band SRQ message is cached for the next call of this -ioctl. However the cached SRQ STB represents a state that was previous -to the last returned STB. Furthermore the cached SRQ STB can be stale -and not reflect the current state of the device. - -The fixed ioctl now always reads the STB from the device and if the -associated file descriptor has the srq_asserted bit set it ors in the -RQS bit to the returned STB and clears the srq_asserted bit conformant -to subclass USB488 devices. - -Tested-by: Jian-Wei Wu -Reviewed-by: Guido Kiener -Signed-off-by: Dave Penkler -Link: https://lore.kernel.org/r/20201215155621.9592-2-dpenkler@gmail.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: acb3dac2805d ("usb: usbtmc: Fix read_stb function and get_stb ioctl") -Signed-off-by: Sasha Levin ---- - drivers/usb/class/usbtmc.c | 46 +++++++++++++++++++++----------------- - 1 file changed, 25 insertions(+), 21 deletions(-) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index ff706f48e0ada..bfd99d461f813 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -475,15 +475,12 @@ static int usbtmc_ioctl_abort_bulk_out(struct usbtmc_device_data *data) - return usbtmc_ioctl_abort_bulk_out_tag(data, data->bTag_last_write); - } - --static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, -- void __user *arg) -+static int usbtmc_get_stb(struct usbtmc_file_data *file_data, __u8 *stb) - { - struct usbtmc_device_data *data = file_data->data; - struct device *dev = &data->intf->dev; -- int srq_asserted = 0; - u8 *buffer; - u8 tag; -- __u8 stb; - int rv; - long wait_rv; - unsigned long expire; -@@ -491,19 +488,6 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n", - data->iin_ep_present); - -- spin_lock_irq(&data->dev_lock); -- srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted); -- if (srq_asserted) { -- /* a STB with SRQ is already received */ -- stb = file_data->srq_byte; -- spin_unlock_irq(&data->dev_lock); -- rv = put_user(stb, (__u8 __user *)arg); -- dev_dbg(dev, "stb:0x%02x with srq received %d\n", -- (unsigned int)stb, rv); -- return rv; -- } -- spin_unlock_irq(&data->dev_lock); -- - buffer = kmalloc(8, GFP_KERNEL); - if (!buffer) - return -ENOMEM; -@@ -552,13 +536,12 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - data->iin_bTag, tag); - } - -- stb = data->bNotify2; -+ *stb = data->bNotify2; - } else { -- stb = buffer[2]; -+ *stb = buffer[2]; - } - -- rv = put_user(stb, (__u8 __user *)arg); -- dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)stb, rv); -+ dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)*stb, rv); - - rv = 0; - -@@ -573,6 +556,27 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - return rv; - } - -+static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, -+ void __user *arg) -+{ -+ int srq_asserted = 0; -+ __u8 stb; -+ int rv; -+ -+ rv = usbtmc_get_stb(file_data, &stb); -+ -+ if (rv > 0) { -+ srq_asserted = atomic_xchg(&file_data->srq_asserted, -+ srq_asserted); -+ if (srq_asserted) -+ stb |= 0x40; /* Set RQS bit */ -+ -+ rv = put_user(stb, (__u8 __user *)arg); -+ } -+ return rv; -+ -+} -+ - static int usbtmc488_ioctl_wait_srq(struct usbtmc_file_data *file_data, - __u32 __user *arg) - { --- -2.39.5 - diff --git a/queue-5.4/rcu-return-early-if-callback-is-not-specified.patch b/queue-5.4/rcu-return-early-if-callback-is-not-specified.patch deleted file mode 100644 index af2ec4c789..0000000000 --- a/queue-5.4/rcu-return-early-if-callback-is-not-specified.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 475e4713034a7eae1cab1a60a8d7c4728aaeab5c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 10 Jun 2025 19:34:48 +0200 -Subject: rcu: Return early if callback is not specified - -From: Uladzislau Rezki (Sony) - -[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ] - -Currently the call_rcu() API does not check whether a callback -pointer is NULL. If NULL is passed, rcu_core() will try to invoke -it, resulting in NULL pointer dereference and a kernel crash. - -To prevent this and improve debuggability, this patch adds a check -for NULL and emits a kernel stack trace to help identify a faulty -caller. - -Signed-off-by: Uladzislau Rezki (Sony) -Reviewed-by: Joel Fernandes -Signed-off-by: Joel Fernandes -Signed-off-by: Sasha Levin ---- - kernel/rcu/tree.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c -index 615283404d9dc..562c1ff452837 100644 ---- a/kernel/rcu/tree.c -+++ b/kernel/rcu/tree.c -@@ -2568,6 +2568,10 @@ __call_rcu(struct rcu_head *head, rcu_callback_t func, bool lazy) - /* Misaligned rcu_head! */ - WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1)); - -+ /* Avoid NULL dereference if callback is NULL. */ -+ if (WARN_ON_ONCE(!func)) -+ return; -+ - if (debug_rcu_head_queue(head)) { - /* - * Probable double call_rcu(), so leak the callback. --- -2.39.5 - diff --git a/queue-5.4/series b/queue-5.4/series index 3e6004344a..6857c421d1 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -12,9 +12,6 @@ usb-typec-displayport-receive-dp-status-update-nak-r.patch alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch -usb-usbtmc-fix-reading-stale-status-byte.patch -usb-usbtmc-add-usbtmc_ioctl_get_stb.patch -usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch vmci-check-context-notify_page-after-call-to-get_use.patch vmci-fix-race-between-vmci_host_setup_notify-and-vmc.patch kbuild-use-mmd-instead-of-md-to-exclude-system-heade.patch @@ -75,7 +72,6 @@ powerpc-fix-struct-termio-related-ioctl-macros.patch wifi-mac80211-drop-invalid-source-address-ocb-frames.patch wifi-ath6kl-remove-warn-on-bad-firmware-input.patch acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch -rcu-return-early-if-callback-is-not-specified.patch regulator-gpio-add-input_supply-support-in-gpio_regu.patch regulator-gpio-fix-the-out-of-bounds-access-to-drvda.patch mmc-mediatek-use-data-instead-of-mrq-parameter-from-.patch diff --git a/queue-5.4/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch b/queue-5.4/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch deleted file mode 100644 index 7d74dcd88f..0000000000 --- a/queue-5.4/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 7245b240b8e32f7298f4e8c93cdc8115fac3cf8e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 15 Dec 2020 16:56:19 +0100 -Subject: USB: usbtmc: Add USBTMC_IOCTL_GET_STB - -From: Dave Penkler - -[ Upstream commit c9784e23c1020e63d6dba5e10ca8bf3d8b85c19c ] - -This new ioctl reads the status byte (STB) from the device and returns -the STB unmodified to the application. The srq_asserted bit is not taken -into account and not changed. - -This ioctl is useful to support non USBTMC-488 compliant devices. - -Tested-by: Jian-Wei Wu -Reviewed-by: Guido Kiener -Signed-off-by: Dave Penkler -Link: https://lore.kernel.org/r/20201215155621.9592-3-dpenkler@gmail.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: acb3dac2805d ("usb: usbtmc: Fix read_stb function and get_stb ioctl") -Signed-off-by: Sasha Levin ---- - drivers/usb/class/usbtmc.c | 6 ++++++ - include/uapi/linux/usb/tmc.h | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index d47ec01d29778..738ef160109bf 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -2173,6 +2173,12 @@ static long usbtmc_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - file_data->auto_abort = !!tmp_byte; - break; - -+ case USBTMC_IOCTL_GET_STB: -+ retval = usbtmc_get_stb(file_data, &tmp_byte); -+ if (retval > 0) -+ retval = put_user(tmp_byte, (__u8 __user *)arg); -+ break; -+ - case USBTMC_IOCTL_CANCEL_IO: - retval = usbtmc_ioctl_cancel_io(file_data); - break; -diff --git a/include/uapi/linux/usb/tmc.h b/include/uapi/linux/usb/tmc.h -index fdd4d88a7b95d..1e7878fe591f4 100644 ---- a/include/uapi/linux/usb/tmc.h -+++ b/include/uapi/linux/usb/tmc.h -@@ -102,6 +102,8 @@ struct usbtmc_message { - #define USBTMC_IOCTL_MSG_IN_ATTR _IOR(USBTMC_IOC_NR, 24, __u8) - #define USBTMC_IOCTL_AUTO_ABORT _IOW(USBTMC_IOC_NR, 25, __u8) - -+#define USBTMC_IOCTL_GET_STB _IOR(USBTMC_IOC_NR, 26, __u8) -+ - /* Cancel and cleanup asynchronous calls */ - #define USBTMC_IOCTL_CANCEL_IO _IO(USBTMC_IOC_NR, 35) - #define USBTMC_IOCTL_CLEANUP_IO _IO(USBTMC_IOC_NR, 36) --- -2.39.5 - diff --git a/queue-5.4/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch b/queue-5.4/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch deleted file mode 100644 index 82ac68006a..0000000000 --- a/queue-5.4/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 07ca6c3da8a96215d2f6131b838340ef790aab81 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 May 2025 14:16:55 +0200 -Subject: usb: usbtmc: Fix read_stb function and get_stb ioctl - -From: Dave Penkler - -[ Upstream commit acb3dac2805d3342ded7dbbd164add32bbfdf21c ] - -The usbtmc488_ioctl_read_stb function relied on a positive return from -usbtmc_get_stb to reset the srq condition in the driver. The -USBTMC_IOCTL_GET_STB case tested for a positive return to return the stb -to the user. - -Commit: ("usb: usbtmc: Fix erroneous get_stb ioctl -error returns") changed the return value of usbtmc_get_stb to 0 on -success instead of returning the value of usb_control_msg which is -positive in the normal case. This change caused the function -usbtmc488_ioctl_read_stb and the USBTMC_IOCTL_GET_STB ioctl to no -longer function correctly. - -Change the test in usbtmc488_ioctl_read_stb to test for failure -first and return the failure code immediately. -Change the test for the USBTMC_IOCTL_GET_STB ioctl to test for 0 -instead of a positive value. - -Fixes: cac01bd178d6 ("usb: usbtmc: Fix erroneous get_stb ioctl error returns") -Cc: stable@vger.kernel.org -Signed-off-by: Dave Penkler -Link: https://lore.kernel.org/r/20250521121656.18174-3-dpenkler@gmail.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/class/usbtmc.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index 738ef160109bf..9f084058b1956 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -565,14 +565,15 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - - rv = usbtmc_get_stb(file_data, &stb); - -- if (rv > 0) { -- srq_asserted = atomic_xchg(&file_data->srq_asserted, -- srq_asserted); -- if (srq_asserted) -- stb |= 0x40; /* Set RQS bit */ -+ if (rv < 0) -+ return rv; -+ -+ srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted); -+ if (srq_asserted) -+ stb |= 0x40; /* Set RQS bit */ -+ -+ rv = put_user(stb, (__u8 __user *)arg); - -- rv = put_user(stb, (__u8 __user *)arg); -- } - return rv; - - } -@@ -2175,7 +2176,7 @@ static long usbtmc_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - - case USBTMC_IOCTL_GET_STB: - retval = usbtmc_get_stb(file_data, &tmp_byte); -- if (retval > 0) -+ if (!retval) - retval = put_user(tmp_byte, (__u8 __user *)arg); - break; - --- -2.39.5 - diff --git a/queue-5.4/usb-usbtmc-fix-reading-stale-status-byte.patch b/queue-5.4/usb-usbtmc-fix-reading-stale-status-byte.patch deleted file mode 100644 index 50a29cb81a..0000000000 --- a/queue-5.4/usb-usbtmc-fix-reading-stale-status-byte.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 10429899c1d7ade01788fdcc316a32c768ee33ba Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 15 Dec 2020 16:56:18 +0100 -Subject: USB: usbtmc: Fix reading stale status byte - -From: Dave Penkler - -[ Upstream commit 3c1037e2b6a94898f81ed1a68bea146a9db750a5 ] - -The ioctl USBTMC488_IOCTL_READ_STB either returns a cached status byte -(STB) sent by the device due to a service request (SRQ) condition or -the STB obtained from a query to the device with a READ_STATUS_BYTE -control message. - -When the query is interrupted by an SRQ message on the interrupt pipe, -the ioctl still returns the requested STB while the STB of the -out-of-band SRQ message is cached for the next call of this -ioctl. However the cached SRQ STB represents a state that was previous -to the last returned STB. Furthermore the cached SRQ STB can be stale -and not reflect the current state of the device. - -The fixed ioctl now always reads the STB from the device and if the -associated file descriptor has the srq_asserted bit set it ors in the -RQS bit to the returned STB and clears the srq_asserted bit conformant -to subclass USB488 devices. - -Tested-by: Jian-Wei Wu -Reviewed-by: Guido Kiener -Signed-off-by: Dave Penkler -Link: https://lore.kernel.org/r/20201215155621.9592-2-dpenkler@gmail.com -Signed-off-by: Greg Kroah-Hartman -Stable-dep-of: acb3dac2805d ("usb: usbtmc: Fix read_stb function and get_stb ioctl") -Signed-off-by: Sasha Levin ---- - drivers/usb/class/usbtmc.c | 46 +++++++++++++++++++++----------------- - 1 file changed, 25 insertions(+), 21 deletions(-) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index d8ed205e6b439..d47ec01d29778 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -475,15 +475,12 @@ static int usbtmc_ioctl_abort_bulk_out(struct usbtmc_device_data *data) - return usbtmc_ioctl_abort_bulk_out_tag(data, data->bTag_last_write); - } - --static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, -- void __user *arg) -+static int usbtmc_get_stb(struct usbtmc_file_data *file_data, __u8 *stb) - { - struct usbtmc_device_data *data = file_data->data; - struct device *dev = &data->intf->dev; -- int srq_asserted = 0; - u8 *buffer; - u8 tag; -- __u8 stb; - int rv; - long wait_rv; - unsigned long expire; -@@ -491,19 +488,6 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n", - data->iin_ep_present); - -- spin_lock_irq(&data->dev_lock); -- srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted); -- if (srq_asserted) { -- /* a STB with SRQ is already received */ -- stb = file_data->srq_byte; -- spin_unlock_irq(&data->dev_lock); -- rv = put_user(stb, (__u8 __user *)arg); -- dev_dbg(dev, "stb:0x%02x with srq received %d\n", -- (unsigned int)stb, rv); -- return rv; -- } -- spin_unlock_irq(&data->dev_lock); -- - buffer = kmalloc(8, GFP_KERNEL); - if (!buffer) - return -ENOMEM; -@@ -552,13 +536,12 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - data->iin_bTag, tag); - } - -- stb = data->bNotify2; -+ *stb = data->bNotify2; - } else { -- stb = buffer[2]; -+ *stb = buffer[2]; - } - -- rv = put_user(stb, (__u8 __user *)arg); -- dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)stb, rv); -+ dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)*stb, rv); - - rv = 0; - -@@ -573,6 +556,27 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, - return rv; - } - -+static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, -+ void __user *arg) -+{ -+ int srq_asserted = 0; -+ __u8 stb; -+ int rv; -+ -+ rv = usbtmc_get_stb(file_data, &stb); -+ -+ if (rv > 0) { -+ srq_asserted = atomic_xchg(&file_data->srq_asserted, -+ srq_asserted); -+ if (srq_asserted) -+ stb |= 0x40; /* Set RQS bit */ -+ -+ rv = put_user(stb, (__u8 __user *)arg); -+ } -+ return rv; -+ -+} -+ - static int usbtmc488_ioctl_wait_srq(struct usbtmc_file_data *file_data, - __u32 __user *arg) - { --- -2.39.5 -