From: Greg Kroah-Hartman Date: Mon, 13 Jan 2025 10:26:47 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.1.125~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0bf7a690b0594dfafc81d73182908317b5a4e152;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: usb-core-disable-lpm-only-for-non-suspended-ports.patch usb-fix-reference-leak-in-usb_new_device.patch usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch usb-usblp-return-error-when-setting-unsupported-protocol.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index db35acc0b49..9271f07d62d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -21,3 +21,8 @@ staging-iio-ad9834-correct-phase-range-check.patch staging-iio-ad9832-correct-phase-range-check.patch usb-storage-add-max-sectors-quirk-for-nokia-208.patch usb-serial-cp210x-add-phoenix-contact-ups-device.patch +usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch +usb-usblp-return-error-when-setting-unsupported-protocol.patch +usb-core-disable-lpm-only-for-non-suspended-ports.patch +usb-fix-reference-leak-in-usb_new_device.patch +usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch diff --git a/queue-5.4/usb-core-disable-lpm-only-for-non-suspended-ports.patch b/queue-5.4/usb-core-disable-lpm-only-for-non-suspended-ports.patch new file mode 100644 index 00000000000..2c40812ca1b --- /dev/null +++ b/queue-5.4/usb-core-disable-lpm-only-for-non-suspended-ports.patch @@ -0,0 +1,52 @@ +From 59bfeaf5454b7e764288d84802577f4a99bf0819 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 6 Dec 2024 15:48:17 +0800 +Subject: USB: core: Disable LPM only for non-suspended ports + +From: Kai-Heng Feng + +commit 59bfeaf5454b7e764288d84802577f4a99bf0819 upstream. + +There's USB error when tegra board is shutting down: +[ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113 +[ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113 +[ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113 +[ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead +[ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up +[ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command + +The issue is caused by disabling LPM on already suspended ports. + +For USB2 LPM, the LPM is already disabled during port suspend. For USB3 +LPM, port won't transit to U1/U2 when it's already suspended in U3, +hence disabling LPM is only needed for ports that are not suspended. + +Cc: Wayne Chang +Cc: stable +Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown") +Signed-off-by: Kai-Heng Feng +Acked-by: Alan Stern +Tested-by: Jon Hunter +Link: https://lore.kernel.org/r/20241206074817.89189-1-kaihengf@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/port.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/port.c ++++ b/drivers/usb/core/port.c +@@ -294,10 +294,11 @@ static int usb_port_runtime_suspend(stru + static void usb_port_shutdown(struct device *dev) + { + struct usb_port *port_dev = to_usb_port(dev); ++ struct usb_device *udev = port_dev->child; + +- if (port_dev->child) { +- usb_disable_usb2_hardware_lpm(port_dev->child); +- usb_unlocked_disable_lpm(port_dev->child); ++ if (udev && !udev->port_is_suspended) { ++ usb_disable_usb2_hardware_lpm(udev); ++ usb_unlocked_disable_lpm(udev); + } + } + diff --git a/queue-5.4/usb-fix-reference-leak-in-usb_new_device.patch b/queue-5.4/usb-fix-reference-leak-in-usb_new_device.patch new file mode 100644 index 00000000000..4dba001a716 --- /dev/null +++ b/queue-5.4/usb-fix-reference-leak-in-usb_new_device.patch @@ -0,0 +1,54 @@ +From 0df11fa8cee5a9cf8753d4e2672bb3667138c652 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 18 Dec 2024 15:13:46 +0800 +Subject: usb: fix reference leak in usb_new_device() + +From: Ma Ke + +commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 upstream. + +When device_add(&udev->dev) succeeds and a later call fails, +usb_new_device() does not properly call device_del(). As comment of +device_add() says, 'if device_add() succeeds, you should call +device_del() when you want to get rid of it. If device_add() has not +succeeded, use only put_device() to drop the reference count'. + +Found by code review. + +Cc: stable +Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class") +Signed-off-by: Ma Ke +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20241218071346.2973980-1-make_ruc2021@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2592,13 +2592,13 @@ int usb_new_device(struct usb_device *ud + err = sysfs_create_link(&udev->dev.kobj, + &port_dev->dev.kobj, "port"); + if (err) +- goto fail; ++ goto out_del_dev; + + err = sysfs_create_link(&port_dev->dev.kobj, + &udev->dev.kobj, "device"); + if (err) { + sysfs_remove_link(&udev->dev.kobj, "port"); +- goto fail; ++ goto out_del_dev; + } + + if (!test_and_set_bit(port1, hub->child_usage_bits)) +@@ -2610,6 +2610,8 @@ int usb_new_device(struct usb_device *ud + pm_runtime_put_sync_autosuspend(&udev->dev); + return err; + ++out_del_dev: ++ device_del(&udev->dev); + fail: + usb_set_device_state(udev, USB_STATE_NOTATTACHED); + pm_runtime_disable(&udev->dev); diff --git a/queue-5.4/usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch b/queue-5.4/usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch new file mode 100644 index 00000000000..253e88acc3e --- /dev/null +++ b/queue-5.4/usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch @@ -0,0 +1,75 @@ +From dfc51e48bca475bbee984e90f33fdc537ce09699 Mon Sep 17 00:00:00 2001 +From: Akash M +Date: Thu, 19 Dec 2024 18:22:19 +0530 +Subject: usb: gadget: f_fs: Remove WARN_ON in functionfs_bind + +From: Akash M + +commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream. + +This commit addresses an issue related to below kernel panic where +panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON +in functionsfs_bind, which easily leads to the following scenarios. + +1.adb_write in adbd 2. UDC write via configfs + ================= ===================== + +->usb_ffs_open_thread() ->UDC write + ->open_functionfs() ->configfs_write_iter() + ->adb_open() ->gadget_dev_desc_UDC_store() + ->adb_write() ->usb_gadget_register_driver_owner + ->driver_register() +->StartMonitor() ->bus_add_driver() + ->adb_read() ->gadget_bind_driver() + ->configfs_composite_bind() + ->usb_add_function() +->open_functionfs() ->ffs_func_bind() + ->adb_open() ->functionfs_bind() + state !=FFS_ACTIVE> + +The adb_open, adb_read, and adb_write operations are invoked from the +daemon, but trying to bind the function is a process that is invoked by +UDC write through configfs, which opens up the possibility of a race +condition between the two paths. In this race scenario, the kernel panic +occurs due to the WARN_ON from functionfs_bind when panic_on_warn is +enabled. This commit fixes the kernel panic by removing the unnecessary +WARN_ON. + +Kernel panic - not syncing: kernel: panic_on_warn set ... +[ 14.542395] Call trace: +[ 14.542464] ffs_func_bind+0x1c8/0x14a8 +[ 14.542468] usb_add_function+0xcc/0x1f0 +[ 14.542473] configfs_composite_bind+0x468/0x588 +[ 14.542478] gadget_bind_driver+0x108/0x27c +[ 14.542483] really_probe+0x190/0x374 +[ 14.542488] __driver_probe_device+0xa0/0x12c +[ 14.542492] driver_probe_device+0x3c/0x220 +[ 14.542498] __driver_attach+0x11c/0x1fc +[ 14.542502] bus_for_each_dev+0x104/0x160 +[ 14.542506] driver_attach+0x24/0x34 +[ 14.542510] bus_add_driver+0x154/0x270 +[ 14.542514] driver_register+0x68/0x104 +[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4 +[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144 +[ 14.542526] configfs_write_iter+0xf0/0x138 + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Cc: stable +Signed-off-by: Akash M +Link: https://lore.kernel.org/r/20241219125221.1679-1-akash.m5@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1875,7 +1875,7 @@ static int functionfs_bind(struct ffs_da + + ENTER(); + +- if (WARN_ON(ffs->state != FFS_ACTIVE ++ if ((ffs->state != FFS_ACTIVE + || test_and_set_bit(FFS_FL_BOUND, &ffs->flags))) + return -EBADFD; + diff --git a/queue-5.4/usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch b/queue-5.4/usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch new file mode 100644 index 00000000000..96ddc10b1c5 --- /dev/null +++ b/queue-5.4/usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch @@ -0,0 +1,69 @@ +From 13014969cbf07f18d62ceea40bd8ca8ec9d36cec Mon Sep 17 00:00:00 2001 +From: Lianqin Hu +Date: Tue, 17 Dec 2024 07:58:44 +0000 +Subject: usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null + +From: Lianqin Hu + +commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec upstream. + +Considering that in some extreme cases, when performing the +unbinding operation, gserial_disconnect has cleared gser->ioport, +which triggers gadget reconfiguration, and then calls gs_read_complete, +resulting in access to a null pointer. Therefore, ep is disabled before +gserial_disconnect sets port to null to prevent this from happening. + +Call trace: + gs_read_complete+0x58/0x240 + usb_gadget_giveback_request+0x40/0x160 + dwc3_remove_requests+0x170/0x484 + dwc3_ep0_out_start+0xb0/0x1d4 + __dwc3_gadget_start+0x25c/0x720 + kretprobe_trampoline.cfi_jt+0x0/0x8 + kretprobe_trampoline.cfi_jt+0x0/0x8 + udc_bind_to_driver+0x1d8/0x300 + usb_gadget_probe_driver+0xa8/0x1dc + gadget_dev_desc_UDC_store+0x13c/0x188 + configfs_write_iter+0x160/0x1f4 + vfs_write+0x2d0/0x40c + ksys_write+0x7c/0xf0 + __arm64_sys_write+0x20/0x30 + invoke_syscall+0x60/0x150 + el0_svc_common+0x8c/0xf8 + do_el0_svc+0x28/0xa0 + el0_svc+0x24/0x84 + +Fixes: c1dca562be8a ("usb gadget: split out serial core") +Cc: stable +Suggested-by: Greg Kroah-Hartman +Signed-off-by: Lianqin Hu +Link: https://lore.kernel.org/r/TYUPR06MB621733B5AC690DBDF80A0DCCD2042@TYUPR06MB6217.apcprd06.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_serial.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1369,6 +1369,10 @@ void gserial_disconnect(struct gserial * + /* REVISIT as above: how best to track this? */ + port->port_line_coding = gser->port_line_coding; + ++ /* disable endpoints, aborting down any active I/O */ ++ usb_ep_disable(gser->out); ++ usb_ep_disable(gser->in); ++ + port->port_usb = NULL; + gser->ioport = NULL; + if (port->port.count > 0 || port->openclose) { +@@ -1378,10 +1382,6 @@ void gserial_disconnect(struct gserial * + } + spin_unlock_irqrestore(&port->port_lock, flags); + +- /* disable endpoints, aborting down any active I/O */ +- usb_ep_disable(gser->out); +- usb_ep_disable(gser->in); +- + /* finally, free any unused/unusable I/O buffers */ + spin_lock_irqsave(&port->port_lock, flags); + if (port->port.count == 0 && !port->openclose) diff --git a/queue-5.4/usb-usblp-return-error-when-setting-unsupported-protocol.patch b/queue-5.4/usb-usblp-return-error-when-setting-unsupported-protocol.patch new file mode 100644 index 00000000000..475362b9e20 --- /dev/null +++ b/queue-5.4/usb-usblp-return-error-when-setting-unsupported-protocol.patch @@ -0,0 +1,43 @@ +From 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 Mon Sep 17 00:00:00 2001 +From: Jun Yan +Date: Thu, 12 Dec 2024 22:38:52 +0800 +Subject: USB: usblp: return error when setting unsupported protocol + +From: Jun Yan + +commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 upstream. + +Fix the regression introduced by commit d8c6edfa3f4e ("USB: +usblp: don't call usb_set_interface if there's a single alt"), +which causes that unsupported protocols can also be set via +ioctl when the num_altsetting of the device is 1. + +Move the check for protocol support to the earlier stage. + +Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt") +Cc: stable +Signed-off-by: Jun Yan +Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usblp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -1337,11 +1337,12 @@ static int usblp_set_protocol(struct usb + if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL) + return -EINVAL; + ++ alts = usblp->protocol[protocol].alt_setting; ++ if (alts < 0) ++ return -EINVAL; ++ + /* Don't unnecessarily set the interface if there's a single alt. */ + if (usblp->intf->num_altsetting > 1) { +- alts = usblp->protocol[protocol].alt_setting; +- if (alts < 0) +- return -EINVAL; + r = usb_set_interface(usblp->dev, usblp->ifnum, alts); + if (r < 0) { + printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",