From: Greg Kroah-Hartman Date: Mon, 11 Jan 2021 09:10:02 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.251~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=83af219f9cef7adb547db8c9f545875b1955fb6c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-hda-conexant-add-a-new-hda-codec-cx11970.patch alsa-hda-realtek-fix-speaker-volume-control-on-lenovo-c940.patch alsa-usb-audio-fix-ubsan-warnings-for-midi-jacks.patch revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch usb-chipidea-ci_hdrc_imx-add-missing-put_device-call-in-usbmisc_get_init_data.patch usb-dwc3-ulpi-use-vstsdone-to-detect-phy-regs-access-completion.patch usb-gadget-configfs-fix-use-after-free-issue-with-udc_name.patch usb-gadget-configfs-preserve-function-ordering-after-bind-failure.patch usb-gadget-f_uac2-reset-wmaxpacketsize.patch usb-gadget-fix-spinlock-lockup-on-usb_function_deactivate.patch usb-gadget-function-printer-fix-a-memory-leak-for-interface-descriptor.patch usb-gadget-legacy-fix-return-error-code-in-acm_ms_bind.patch usb-gadget-select-config_crc32.patch usb-serial-iuu_phoenix-fix-dma-from-stack.patch usb-serial-keyspan_pda-remove-unused-variable.patch usb-serial-option-add-longsung-m5710-module-support.patch usb-serial-option-add-quectel-em160r-gl.patch usb-uas-add-pny-usb-portable-ssd-to-unusual_uas.patch usb-usbip-vhci_hcd-protect-shift-size.patch usb-usblp-fix-dma-to-stack.patch usb-xhci-fix-u1-u2-handling-for-hardware-with-xhci_intel_host-quirk-set.patch usb-yurex-fix-control-urb-timeout-handling.patch x86-mm-fix-leak-of-pmd-ptlock.patch --- diff --git a/queue-4.14/alsa-hda-conexant-add-a-new-hda-codec-cx11970.patch b/queue-4.14/alsa-hda-conexant-add-a-new-hda-codec-cx11970.patch new file mode 100644 index 00000000000..9fc9fce05fb --- /dev/null +++ b/queue-4.14/alsa-hda-conexant-add-a-new-hda-codec-cx11970.patch @@ -0,0 +1,34 @@ +From 744a11abc56405c5a106e63da30a941b6d27f737 Mon Sep 17 00:00:00 2001 +From: bo liu +Date: Tue, 29 Dec 2020 11:52:26 +0800 +Subject: ALSA: hda/conexant: add a new hda codec CX11970 + +From: bo liu + +commit 744a11abc56405c5a106e63da30a941b6d27f737 upstream. + +The current kernel does not support the cx11970 codec chip. +Add a codec configuration item to kernel. + +[ Minor coding style fix by tiwai ] + +Signed-off-by: bo liu +Cc: +Link: https://lore.kernel.org/r/20201229035226.62120-1-bo.liu@senarytech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1118,6 +1118,7 @@ static int patch_conexant_auto(struct hd + static const struct hda_device_id snd_hda_id_conexant[] = { + HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto), ++ HDA_CODEC_ENTRY(0x14f120d0, "CX11970", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15051, "CX20561 (Hermosa)", patch_conexant_auto), diff --git a/queue-4.14/alsa-hda-realtek-fix-speaker-volume-control-on-lenovo-c940.patch b/queue-4.14/alsa-hda-realtek-fix-speaker-volume-control-on-lenovo-c940.patch new file mode 100644 index 00000000000..b4b0f865da0 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-fix-speaker-volume-control-on-lenovo-c940.patch @@ -0,0 +1,56 @@ +From f86de9b1c0663b0a3ca2dcddec9aa910ff0fbf2c Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 23 Oct 2020 14:46:47 +0800 +Subject: ALSA: hda/realtek - Fix speaker volume control on Lenovo C940 + +From: Kailang Yang + +commit f86de9b1c0663b0a3ca2dcddec9aa910ff0fbf2c upstream. + +Cannot adjust speaker's volume on Lenovo C940. +Applying the alc298_fixup_speaker_volume function can fix the issue. + +[ Additional note: C940 has I2S amp for the speaker and this needs the + same initialization as Dell machines. + The patch was slightly modified so that the quirk entry is moved + next to the corresponding Dell quirk entry. -- tiwai ] + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/ea25b4e5c468491aa2e9d6cb1f2fced3@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5510,6 +5510,7 @@ enum { + ALC221_FIXUP_HP_FRONT_MIC, + ALC292_FIXUP_TPT460, + ALC298_FIXUP_SPK_VOLUME, ++ ALC298_FIXUP_LENOVO_SPK_VOLUME, + ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER, + ALC269_FIXUP_ATIV_BOOK_8, + ALC221_FIXUP_HP_MIC_NO_PRESENCE, +@@ -6261,6 +6262,10 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE, + }, ++ [ALC298_FIXUP_LENOVO_SPK_VOLUME] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc298_fixup_speaker_volume, ++ }, + [ALC295_FIXUP_DISABLE_DAC3] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc295_fixup_disable_dac3, +@@ -6662,6 +6667,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x3151, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x3176, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x17aa, 0x3178, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x17aa, 0x3818, "Lenovo C940", ALC298_FIXUP_LENOVO_SPK_VOLUME), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), diff --git a/queue-4.14/alsa-usb-audio-fix-ubsan-warnings-for-midi-jacks.patch b/queue-4.14/alsa-usb-audio-fix-ubsan-warnings-for-midi-jacks.patch new file mode 100644 index 00000000000..0320c1276fd --- /dev/null +++ b/queue-4.14/alsa-usb-audio-fix-ubsan-warnings-for-midi-jacks.patch @@ -0,0 +1,46 @@ +From c06ccf3ebb7503706ea49fd248e709287ef385a3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 23 Dec 2020 18:45:57 +0100 +Subject: ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks + +From: Takashi Iwai + +commit c06ccf3ebb7503706ea49fd248e709287ef385a3 upstream. + +The calculation of in_cables and out_cables bitmaps are done with the +bit shift by the value from the descriptor, which is an arbitrary +value, and can lead to UBSAN shift-out-of-bounds warnings. + +Fix it by filtering the bad descriptor values with the check of the +upper bound 0x10 (the cable bitmaps are 16 bits). + +Reported-by: syzbot+92e45ae45543f89e8c88@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20201223174557.10249-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/midi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1867,6 +1867,8 @@ static int snd_usbmidi_get_ms_info(struc + ms_ep = find_usb_ms_endpoint_descriptor(hostep); + if (!ms_ep) + continue; ++ if (ms_ep->bNumEmbMIDIJack > 0x10) ++ continue; + if (usb_endpoint_dir_out(ep)) { + if (endpoints[epidx].out_ep) { + if (++epidx >= MIDI_MAX_ENDPOINTS) { +@@ -2119,6 +2121,8 @@ static int snd_usbmidi_detect_roland(str + cs_desc[1] == USB_DT_CS_INTERFACE && + cs_desc[2] == 0xf1 && + cs_desc[3] == 0x02) { ++ if (cs_desc[4] > 0x10 || cs_desc[5] > 0x10) ++ continue; + endpoint->in_cables = (1 << cs_desc[4]) - 1; + endpoint->out_cables = (1 << cs_desc[5]) - 1; + return snd_usbmidi_detect_endpoints(umidi, endpoint, 1); diff --git a/queue-4.14/revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch b/queue-4.14/revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch new file mode 100644 index 00000000000..8e03a736c22 --- /dev/null +++ b/queue-4.14/revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch @@ -0,0 +1,40 @@ +From 47f4469970d8861bc06d2d4d45ac8200ff07c693 Mon Sep 17 00:00:00 2001 +From: Bard Liao +Date: Tue, 5 Jan 2021 17:11:45 +0800 +Subject: Revert "device property: Keep secondary firmware node secondary by type" + +From: Bard Liao + +commit 47f4469970d8861bc06d2d4d45ac8200ff07c693 upstream. + +While commit d5dcce0c414f ("device property: Keep secondary firmware +node secondary by type") describes everything correct in its commit +message, the change it made does the opposite and original commit +c15e1bdda436 ("device property: Fix the secondary firmware node handling +in set_primary_fwnode()") was fully correct. + +Revert the former one here and improve documentation in the next patch. + +Fixes: d5dcce0c414f ("device property: Keep secondary firmware node secondary by type") +Signed-off-by: Bard Liao +Reviewed-by: Andy Shevchenko +Reviewed-by: Heikki Krogerus +Cc: 5.10+ # 5.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -3090,7 +3090,7 @@ void set_primary_fwnode(struct device *d + if (fwnode_is_primary(fn)) { + dev->fwnode = fn->secondary; + if (!(parent && fn == parent->fwnode)) +- fn->secondary = ERR_PTR(-ENODEV); ++ fn->secondary = NULL; + } else { + dev->fwnode = NULL; + } diff --git a/queue-4.14/series b/queue-4.14/series index 45129f0d4b0..3f6752a6627 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -28,3 +28,26 @@ video-hyperv_fb-fix-the-mmap-regression-for-v5.4.y-a.patch crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch usb-gadget-enable-super-speed-plus.patch usb-cdc-acm-blacklist-another-ir-droid-device.patch +usb-dwc3-ulpi-use-vstsdone-to-detect-phy-regs-access-completion.patch +usb-chipidea-ci_hdrc_imx-add-missing-put_device-call-in-usbmisc_get_init_data.patch +usb-xhci-fix-u1-u2-handling-for-hardware-with-xhci_intel_host-quirk-set.patch +usb-usbip-vhci_hcd-protect-shift-size.patch +usb-uas-add-pny-usb-portable-ssd-to-unusual_uas.patch +usb-serial-iuu_phoenix-fix-dma-from-stack.patch +usb-serial-option-add-longsung-m5710-module-support.patch +usb-serial-option-add-quectel-em160r-gl.patch +usb-yurex-fix-control-urb-timeout-handling.patch +usb-usblp-fix-dma-to-stack.patch +alsa-usb-audio-fix-ubsan-warnings-for-midi-jacks.patch +usb-gadget-select-config_crc32.patch +usb-gadget-f_uac2-reset-wmaxpacketsize.patch +usb-gadget-function-printer-fix-a-memory-leak-for-interface-descriptor.patch +usb-gadget-legacy-fix-return-error-code-in-acm_ms_bind.patch +usb-gadget-fix-spinlock-lockup-on-usb_function_deactivate.patch +usb-gadget-configfs-preserve-function-ordering-after-bind-failure.patch +usb-gadget-configfs-fix-use-after-free-issue-with-udc_name.patch +usb-serial-keyspan_pda-remove-unused-variable.patch +x86-mm-fix-leak-of-pmd-ptlock.patch +alsa-hda-conexant-add-a-new-hda-codec-cx11970.patch +alsa-hda-realtek-fix-speaker-volume-control-on-lenovo-c940.patch +revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch diff --git a/queue-4.14/usb-chipidea-ci_hdrc_imx-add-missing-put_device-call-in-usbmisc_get_init_data.patch b/queue-4.14/usb-chipidea-ci_hdrc_imx-add-missing-put_device-call-in-usbmisc_get_init_data.patch new file mode 100644 index 00000000000..71b93b5be09 --- /dev/null +++ b/queue-4.14/usb-chipidea-ci_hdrc_imx-add-missing-put_device-call-in-usbmisc_get_init_data.patch @@ -0,0 +1,40 @@ +From 83a43ff80a566de8718dfc6565545a0080ec1fb5 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Tue, 17 Nov 2020 09:14:30 +0800 +Subject: usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() + +From: Yu Kuai + +commit 83a43ff80a566de8718dfc6565545a0080ec1fb5 upstream. + +if of_find_device_by_node() succeed, usbmisc_get_init_data() doesn't have +a corresponding put_device(). Thus add put_device() to fix the exception +handling for this function implementation. + +Fixes: ef12da914ed6 ("usb: chipidea: imx: properly check for usbmisc") +Signed-off-by: Yu Kuai +Cc: stable +Link: https://lore.kernel.org/r/20201117011430.642589-1-yukuai3@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/ci_hdrc_imx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/ci_hdrc_imx.c ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c +@@ -134,9 +134,13 @@ static struct imx_usbmisc_data *usbmisc_ + misc_pdev = of_find_device_by_node(args.np); + of_node_put(args.np); + +- if (!misc_pdev || !platform_get_drvdata(misc_pdev)) ++ if (!misc_pdev) + return ERR_PTR(-EPROBE_DEFER); + ++ if (!platform_get_drvdata(misc_pdev)) { ++ put_device(&misc_pdev->dev); ++ return ERR_PTR(-EPROBE_DEFER); ++ } + data->dev = &misc_pdev->dev; + + if (of_find_property(np, "disable-over-current", NULL)) diff --git a/queue-4.14/usb-dwc3-ulpi-use-vstsdone-to-detect-phy-regs-access-completion.patch b/queue-4.14/usb-dwc3-ulpi-use-vstsdone-to-detect-phy-regs-access-completion.patch new file mode 100644 index 00000000000..1cb5002d071 --- /dev/null +++ b/queue-4.14/usb-dwc3-ulpi-use-vstsdone-to-detect-phy-regs-access-completion.patch @@ -0,0 +1,54 @@ +From ce722da66d3e9384aa2de9d33d584ee154e5e157 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Thu, 10 Dec 2020 11:50:06 +0300 +Subject: usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion + +From: Serge Semin + +commit ce722da66d3e9384aa2de9d33d584ee154e5e157 upstream. + +In accordance with [1] the DWC_usb3 core sets the GUSB2PHYACCn.VStsDone +bit when the PHY vendor control access is done and clears it when the +application initiates a new transaction. The doc doesn't say anything +about the GUSB2PHYACCn.VStsBsy flag serving for the same purpose. Moreover +we've discovered that the VStsBsy flag can be cleared before the VStsDone +bit. So using the former as a signal of the PHY control registers +completion might be dangerous. Let's have the VStsDone flag utilized +instead then. + +[1] Synopsys DesignWare Cores SuperSpeed USB 3.0 xHCI Host Controller + Databook, 2.70a, December 2013, p.388 + +Fixes: 88bc9d194ff6 ("usb: dwc3: add ULPI interface support") +Acked-by: Heikki Krogerus +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20201210085008.13264-2-Sergey.Semin@baikalelectronics.ru +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.h | 1 + + drivers/usb/dwc3/ulpi.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -227,6 +227,7 @@ + + /* Global USB2 PHY Vendor Control Register */ + #define DWC3_GUSB2PHYACC_NEWREGREQ BIT(25) ++#define DWC3_GUSB2PHYACC_DONE BIT(24) + #define DWC3_GUSB2PHYACC_BUSY BIT(23) + #define DWC3_GUSB2PHYACC_WRITE BIT(22) + #define DWC3_GUSB2PHYACC_ADDR(n) (n << 16) +--- a/drivers/usb/dwc3/ulpi.c ++++ b/drivers/usb/dwc3/ulpi.c +@@ -27,7 +27,7 @@ static int dwc3_ulpi_busyloop(struct dwc + + while (count--) { + reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYACC(0)); +- if (!(reg & DWC3_GUSB2PHYACC_BUSY)) ++ if (reg & DWC3_GUSB2PHYACC_DONE) + return 0; + cpu_relax(); + } diff --git a/queue-4.14/usb-gadget-configfs-fix-use-after-free-issue-with-udc_name.patch b/queue-4.14/usb-gadget-configfs-fix-use-after-free-issue-with-udc_name.patch new file mode 100644 index 00000000000..1931160cac3 --- /dev/null +++ b/queue-4.14/usb-gadget-configfs-fix-use-after-free-issue-with-udc_name.patch @@ -0,0 +1,72 @@ +From 64e6bbfff52db4bf6785fab9cffab850b2de6870 Mon Sep 17 00:00:00 2001 +From: Eddie Hung +Date: Tue, 29 Dec 2020 18:53:35 +0800 +Subject: usb: gadget: configfs: Fix use-after-free issue with udc_name + +From: Eddie Hung + +commit 64e6bbfff52db4bf6785fab9cffab850b2de6870 upstream. + +There is a use-after-free issue, if access udc_name +in function gadget_dev_desc_UDC_store after another context +free udc_name in function unregister_gadget. + +Context 1: +gadget_dev_desc_UDC_store()->unregister_gadget()-> +free udc_name->set udc_name to NULL + +Context 2: +gadget_dev_desc_UDC_show()-> access udc_name + +Call trace: +dump_backtrace+0x0/0x340 +show_stack+0x14/0x1c +dump_stack+0xe4/0x134 +print_address_description+0x78/0x478 +__kasan_report+0x270/0x2ec +kasan_report+0x10/0x18 +__asan_report_load1_noabort+0x18/0x20 +string+0xf4/0x138 +vsnprintf+0x428/0x14d0 +sprintf+0xe4/0x12c +gadget_dev_desc_UDC_show+0x54/0x64 +configfs_read_file+0x210/0x3a0 +__vfs_read+0xf0/0x49c +vfs_read+0x130/0x2b4 +SyS_read+0x114/0x208 +el0_svc_naked+0x34/0x38 + +Add mutex_lock to protect this kind of scenario. + +Signed-off-by: Eddie Hung +Signed-off-by: Macpaul Lin +Reviewed-by: Peter Chen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -232,9 +232,16 @@ static ssize_t gadget_dev_desc_bcdUSB_st + + static ssize_t gadget_dev_desc_UDC_show(struct config_item *item, char *page) + { +- char *udc_name = to_gadget_info(item)->composite.gadget_driver.udc_name; ++ struct gadget_info *gi = to_gadget_info(item); ++ char *udc_name; ++ int ret; + +- return sprintf(page, "%s\n", udc_name ?: ""); ++ mutex_lock(&gi->lock); ++ udc_name = gi->composite.gadget_driver.udc_name; ++ ret = sprintf(page, "%s\n", udc_name ?: ""); ++ mutex_unlock(&gi->lock); ++ ++ return ret; + } + + static int unregister_gadget(struct gadget_info *gi) diff --git a/queue-4.14/usb-gadget-configfs-preserve-function-ordering-after-bind-failure.patch b/queue-4.14/usb-gadget-configfs-preserve-function-ordering-after-bind-failure.patch new file mode 100644 index 00000000000..458cc60cb41 --- /dev/null +++ b/queue-4.14/usb-gadget-configfs-preserve-function-ordering-after-bind-failure.patch @@ -0,0 +1,91 @@ +From 6cd0fe91387917be48e91385a572a69dfac2f3f7 Mon Sep 17 00:00:00 2001 +From: Chandana Kishori Chiluveru +Date: Tue, 29 Dec 2020 14:44:43 -0800 +Subject: usb: gadget: configfs: Preserve function ordering after bind failure + +From: Chandana Kishori Chiluveru + +commit 6cd0fe91387917be48e91385a572a69dfac2f3f7 upstream. + +When binding the ConfigFS gadget to a UDC, the functions in each +configuration are added in list order. However, if usb_add_function() +fails, the failed function is put back on its configuration's +func_list and purge_configs_funcs() is called to further clean up. + +purge_configs_funcs() iterates over the configurations and functions +in forward order, calling unbind() on each of the previously added +functions. But after doing so, each function gets moved to the +tail of the configuration's func_list. This results in reshuffling +the original order of the functions within a configuration such +that the failed function now appears first even though it may have +originally appeared in the middle or even end of the list. At this +point if the ConfigFS gadget is attempted to re-bind to the UDC, +the functions will be added in a different order than intended, +with the only recourse being to remove and relink the functions all +over again. + +An example of this as follows: + +ln -s functions/mass_storage.0 configs/c.1 +ln -s functions/ncm.0 configs/c.1 +ln -s functions/ffs.adb configs/c.1 # oops, forgot to start adbd +echo "" > UDC # fails +start adbd +echo "" > UDC # now succeeds, but... + # bind order is + # "ADB", mass_storage, ncm + +[30133.118289] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520 +[30133.119875] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520 +[30133.119974] using random self ethernet address +[30133.120002] using random host ethernet address +[30133.139604] usb0: HOST MAC 3e:27:46:ba:3e:26 +[30133.140015] usb0: MAC 6e:28:7e:42:66:6a +[30133.140062] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520 +[30133.140081] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 --> -19 +[30133.140098] configfs-gadget gadget: unbind function 'Mass Storage Function'/ffffff810af87200 +[30133.140119] configfs-gadget gadget: unbind function 'cdc_network'/ffffff80f48d1a00 +[30133.173201] configfs-gadget a600000.dwc3: failed to start g1: -19 +[30136.661933] init: starting service 'adbd'... +[30136.700126] read descriptors +[30136.700413] read strings +[30138.574484] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520 +[30138.575497] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520 +[30138.575554] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520 +[30138.575631] using random self ethernet address +[30138.575660] using random host ethernet address +[30138.595338] usb0: HOST MAC 2e:cf:43:cd:ca:c8 +[30138.597160] usb0: MAC 6a:f0:9f:ee:82:a0 +[30138.791490] configfs-gadget gadget: super-speed config #1: c + +Fix this by reversing the iteration order of the functions in +purge_config_funcs() when unbinding them, and adding them back to +the config's func_list at the head instead of the tail. This +ensures that we unbind and unwind back to the original list order. + +Fixes: 88af8bbe4ef7 ("usb: gadget: the start of the configfs interface") +Signed-off-by: Chandana Kishori Chiluveru +Signed-off-by: Jack Pham +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20201229224443.31623-1-jackp@codeaurora.org +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1216,9 +1216,9 @@ static void purge_configs_funcs(struct g + + cfg = container_of(c, struct config_usb_cfg, c); + +- list_for_each_entry_safe(f, tmp, &c->functions, list) { ++ list_for_each_entry_safe_reverse(f, tmp, &c->functions, list) { + +- list_move_tail(&f->list, &cfg->func_list); ++ list_move(&f->list, &cfg->func_list); + if (f->unbind) { + dev_dbg(&gi->cdev.gadget->dev, + "unbind function '%s'/%p\n", diff --git a/queue-4.14/usb-gadget-f_uac2-reset-wmaxpacketsize.patch b/queue-4.14/usb-gadget-f_uac2-reset-wmaxpacketsize.patch new file mode 100644 index 00000000000..1c9393a9160 --- /dev/null +++ b/queue-4.14/usb-gadget-f_uac2-reset-wmaxpacketsize.patch @@ -0,0 +1,152 @@ +From 9389044f27081d6ec77730c36d5bf9a1288bcda2 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Mon, 21 Dec 2020 18:35:28 +0100 +Subject: usb: gadget: f_uac2: reset wMaxPacketSize + +From: Jerome Brunet + +commit 9389044f27081d6ec77730c36d5bf9a1288bcda2 upstream. + +With commit 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth") +wMaxPacketSize is computed dynamically but the value is never reset. + +Because of this, the actual maximum packet size can only decrease each time +the audio gadget is instantiated. + +Reset the endpoint maximum packet size and mark wMaxPacketSize as dynamic +to solve the problem. + +Fixes: 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth") +Signed-off-by: Jerome Brunet +Cc: stable +Link: https://lore.kernel.org/r/20201221173531.215169-2-jbrunet@baylibre.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uac2.c | 69 +++++++++++++++++++++++++++-------- + 1 file changed, 55 insertions(+), 14 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -279,7 +279,7 @@ static struct usb_endpoint_descriptor fs + + .bEndpointAddress = USB_DIR_OUT, + .bmAttributes = USB_ENDPOINT_XFER_ISOC | USB_ENDPOINT_SYNC_ASYNC, +- .wMaxPacketSize = cpu_to_le16(1023), ++ /* .wMaxPacketSize = DYNAMIC */ + .bInterval = 1, + }; + +@@ -288,7 +288,7 @@ static struct usb_endpoint_descriptor hs + .bDescriptorType = USB_DT_ENDPOINT, + + .bmAttributes = USB_ENDPOINT_XFER_ISOC | USB_ENDPOINT_SYNC_ASYNC, +- .wMaxPacketSize = cpu_to_le16(1024), ++ /* .wMaxPacketSize = DYNAMIC */ + .bInterval = 4, + }; + +@@ -356,7 +356,7 @@ static struct usb_endpoint_descriptor fs + + .bEndpointAddress = USB_DIR_IN, + .bmAttributes = USB_ENDPOINT_XFER_ISOC | USB_ENDPOINT_SYNC_ASYNC, +- .wMaxPacketSize = cpu_to_le16(1023), ++ /* .wMaxPacketSize = DYNAMIC */ + .bInterval = 1, + }; + +@@ -365,7 +365,7 @@ static struct usb_endpoint_descriptor hs + .bDescriptorType = USB_DT_ENDPOINT, + + .bmAttributes = USB_ENDPOINT_XFER_ISOC | USB_ENDPOINT_SYNC_ASYNC, +- .wMaxPacketSize = cpu_to_le16(1024), ++ /* .wMaxPacketSize = DYNAMIC */ + .bInterval = 4, + }; + +@@ -452,12 +452,28 @@ struct cntrl_range_lay3 { + __le32 dRES; + } __packed; + +-static void set_ep_max_packet_size(const struct f_uac2_opts *uac2_opts, ++static int set_ep_max_packet_size(const struct f_uac2_opts *uac2_opts, + struct usb_endpoint_descriptor *ep_desc, +- unsigned int factor, bool is_playback) ++ enum usb_device_speed speed, bool is_playback) + { + int chmask, srate, ssize; +- u16 max_packet_size; ++ u16 max_size_bw, max_size_ep; ++ unsigned int factor; ++ ++ switch (speed) { ++ case USB_SPEED_FULL: ++ max_size_ep = 1023; ++ factor = 1000; ++ break; ++ ++ case USB_SPEED_HIGH: ++ max_size_ep = 1024; ++ factor = 8000; ++ break; ++ ++ default: ++ return -EINVAL; ++ } + + if (is_playback) { + chmask = uac2_opts->p_chmask; +@@ -469,10 +485,12 @@ static void set_ep_max_packet_size(const + ssize = uac2_opts->c_ssize; + } + +- max_packet_size = num_channels(chmask) * ssize * ++ max_size_bw = num_channels(chmask) * ssize * + DIV_ROUND_UP(srate, factor / (1 << (ep_desc->bInterval - 1))); +- ep_desc->wMaxPacketSize = cpu_to_le16(min_t(u16, max_packet_size, +- le16_to_cpu(ep_desc->wMaxPacketSize))); ++ ep_desc->wMaxPacketSize = cpu_to_le16(min_t(u16, max_size_bw, ++ max_size_ep)); ++ ++ return 0; + } + + static int +@@ -555,10 +573,33 @@ afunc_bind(struct usb_configuration *cfg + uac2->as_in_alt = 0; + + /* Calculate wMaxPacketSize according to audio bandwidth */ +- set_ep_max_packet_size(uac2_opts, &fs_epin_desc, 1000, true); +- set_ep_max_packet_size(uac2_opts, &fs_epout_desc, 1000, false); +- set_ep_max_packet_size(uac2_opts, &hs_epin_desc, 8000, true); +- set_ep_max_packet_size(uac2_opts, &hs_epout_desc, 8000, false); ++ ret = set_ep_max_packet_size(uac2_opts, &fs_epin_desc, USB_SPEED_FULL, ++ true); ++ if (ret < 0) { ++ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); ++ return ret; ++ } ++ ++ ret = set_ep_max_packet_size(uac2_opts, &fs_epout_desc, USB_SPEED_FULL, ++ false); ++ if (ret < 0) { ++ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); ++ return ret; ++ } ++ ++ ret = set_ep_max_packet_size(uac2_opts, &hs_epin_desc, USB_SPEED_HIGH, ++ true); ++ if (ret < 0) { ++ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); ++ return ret; ++ } ++ ++ ret = set_ep_max_packet_size(uac2_opts, &hs_epout_desc, USB_SPEED_HIGH, ++ false); ++ if (ret < 0) { ++ dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); ++ return ret; ++ } + + agdev->out_ep = usb_ep_autoconfig(gadget, &fs_epout_desc); + if (!agdev->out_ep) { diff --git a/queue-4.14/usb-gadget-fix-spinlock-lockup-on-usb_function_deactivate.patch b/queue-4.14/usb-gadget-fix-spinlock-lockup-on-usb_function_deactivate.patch new file mode 100644 index 00000000000..7cd4069c583 --- /dev/null +++ b/queue-4.14/usb-gadget-fix-spinlock-lockup-on-usb_function_deactivate.patch @@ -0,0 +1,86 @@ +From 5cc35c224a80aa5a5a539510ef049faf0d6ed181 Mon Sep 17 00:00:00 2001 +From: Sriharsha Allenki +Date: Wed, 2 Dec 2020 18:32:20 +0530 +Subject: usb: gadget: Fix spinlock lockup on usb_function_deactivate + +From: Sriharsha Allenki + +commit 5cc35c224a80aa5a5a539510ef049faf0d6ed181 upstream. + +There is a spinlock lockup as part of composite_disconnect +when it tries to acquire cdev->lock as part of usb_gadget_deactivate. +This is because the usb_gadget_deactivate is called from +usb_function_deactivate with the same spinlock held. + +This would result in the below call stack and leads to stall. + +rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: +rcu: 3-...0: (1 GPs behind) idle=162/1/0x4000000000000000 +softirq=10819/10819 fqs=2356 + (detected by 2, t=5252 jiffies, g=20129, q=3770) + Task dump for CPU 3: + task:uvc-gadget_wlhe state:R running task stack: 0 pid: 674 ppid: + 636 flags:0x00000202 + Call trace: + __switch_to+0xc0/0x170 + _raw_spin_lock_irqsave+0x84/0xb0 + composite_disconnect+0x28/0x78 + configfs_composite_disconnect+0x68/0x70 + usb_gadget_disconnect+0x10c/0x128 + usb_gadget_deactivate+0xd4/0x108 + usb_function_deactivate+0x6c/0x80 + uvc_function_disconnect+0x20/0x58 + uvc_v4l2_release+0x30/0x88 + v4l2_release+0xbc/0xf0 + __fput+0x7c/0x230 + ____fput+0x14/0x20 + task_work_run+0x88/0x140 + do_notify_resume+0x240/0x6f0 + work_pending+0x8/0x200 + +Fix this by doing an unlock on cdev->lock before the usb_gadget_deactivate +call from usb_function_deactivate. + +The same lockup can happen in the usb_gadget_activate path. Fix that path +as well. + +Reported-by: Peter Chen +Link: https://lore.kernel.org/linux-usb/20201102094936.GA29581@b29397-desktop/ +Tested-by: Peter Chen +Signed-off-by: Sriharsha Allenki +Cc: stable +Link: https://lore.kernel.org/r/20201202130220.24926-1-sallenki@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -395,8 +395,11 @@ int usb_function_deactivate(struct usb_f + + spin_lock_irqsave(&cdev->lock, flags); + +- if (cdev->deactivations == 0) ++ if (cdev->deactivations == 0) { ++ spin_unlock_irqrestore(&cdev->lock, flags); + status = usb_gadget_deactivate(cdev->gadget); ++ spin_lock_irqsave(&cdev->lock, flags); ++ } + if (status == 0) + cdev->deactivations++; + +@@ -427,8 +430,11 @@ int usb_function_activate(struct usb_fun + status = -EINVAL; + else { + cdev->deactivations--; +- if (cdev->deactivations == 0) ++ if (cdev->deactivations == 0) { ++ spin_unlock_irqrestore(&cdev->lock, flags); + status = usb_gadget_activate(cdev->gadget); ++ spin_lock_irqsave(&cdev->lock, flags); ++ } + } + + spin_unlock_irqrestore(&cdev->lock, flags); diff --git a/queue-4.14/usb-gadget-function-printer-fix-a-memory-leak-for-interface-descriptor.patch b/queue-4.14/usb-gadget-function-printer-fix-a-memory-leak-for-interface-descriptor.patch new file mode 100644 index 00000000000..68710fa3efa --- /dev/null +++ b/queue-4.14/usb-gadget-function-printer-fix-a-memory-leak-for-interface-descriptor.patch @@ -0,0 +1,33 @@ +From 2cc332e4ee4febcbb685e2962ad323fe4b3b750a Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Thu, 10 Dec 2020 10:01:48 +0800 +Subject: usb: gadget: function: printer: Fix a memory leak for interface descriptor + +From: Zqiang + +commit 2cc332e4ee4febcbb685e2962ad323fe4b3b750a upstream. + +When printer driver is loaded, the printer_func_bind function is called, in +this function, the interface descriptor be allocated memory, if after that, +the error occurred, the interface descriptor memory need to be free. + +Reviewed-by: Peter Chen +Cc: +Signed-off-by: Zqiang +Link: https://lore.kernel.org/r/20201210020148.6691-1-qiang.zhang@windriver.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_printer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -1130,6 +1130,7 @@ fail_tx_reqs: + printer_req_free(dev->in_ep, req); + } + ++ usb_free_all_descriptors(f); + return ret; + + } diff --git a/queue-4.14/usb-gadget-legacy-fix-return-error-code-in-acm_ms_bind.patch b/queue-4.14/usb-gadget-legacy-fix-return-error-code-in-acm_ms_bind.patch new file mode 100644 index 00000000000..99a4ee3245f --- /dev/null +++ b/queue-4.14/usb-gadget-legacy-fix-return-error-code-in-acm_ms_bind.patch @@ -0,0 +1,36 @@ +From c91d3a6bcaa031f551ba29a496a8027b31289464 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 17 Nov 2020 17:29:55 +0800 +Subject: USB: gadget: legacy: fix return error code in acm_ms_bind() + +From: Yang Yingliang + +commit c91d3a6bcaa031f551ba29a496a8027b31289464 upstream. + +If usb_otg_descriptor_alloc() failed, it need return ENOMEM. + +Fixes: 578aa8a2b12c ("usb: gadget: acm_ms: allocate and init otg descriptor by otg capabilities") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Cc: stable +Link: https://lore.kernel.org/r/20201117092955.4102785-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/acm_ms.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/legacy/acm_ms.c ++++ b/drivers/usb/gadget/legacy/acm_ms.c +@@ -207,8 +207,10 @@ static int acm_ms_bind(struct usb_compos + struct usb_descriptor_header *usb_desc; + + usb_desc = usb_otg_descriptor_alloc(gadget); +- if (!usb_desc) ++ if (!usb_desc) { ++ status = -ENOMEM; + goto fail_string_ids; ++ } + usb_otg_descriptor_init(gadget, usb_desc); + otg_desc[0] = usb_desc; + otg_desc[1] = NULL; diff --git a/queue-4.14/usb-gadget-select-config_crc32.patch b/queue-4.14/usb-gadget-select-config_crc32.patch new file mode 100644 index 00000000000..b8e308258b8 --- /dev/null +++ b/queue-4.14/usb-gadget-select-config_crc32.patch @@ -0,0 +1,44 @@ +From d7889c2020e08caab0d7e36e947f642d91015bd0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sun, 3 Jan 2021 22:42:17 +0100 +Subject: usb: gadget: select CONFIG_CRC32 + +From: Arnd Bergmann + +commit d7889c2020e08caab0d7e36e947f642d91015bd0 upstream. + +Without crc32 support, this driver fails to link: + +arm-linux-gnueabi-ld: drivers/usb/gadget/function/f_eem.o: in function `eem_unwrap': +f_eem.c:(.text+0x11cc): undefined reference to `crc32_le' +arm-linux-gnueabi-ld: drivers/usb/gadget/function/f_ncm.o:f_ncm.c:(.text+0x1e40): +more undefined references to `crc32_le' follow + +Fixes: 6d3865f9d41f ("usb: gadget: NCM: Add transmit multi-frame.") +Signed-off-by: Arnd Bergmann +Cc: stable +Link: https://lore.kernel.org/r/20210103214224.1996535-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/Kconfig ++++ b/drivers/usb/gadget/Kconfig +@@ -264,6 +264,7 @@ config USB_CONFIGFS_NCM + depends on NET + select USB_U_ETHER + select USB_F_NCM ++ select CRC32 + help + NCM is an advanced protocol for Ethernet encapsulation, allows + grouping of several ethernet frames into one USB transfer and +@@ -313,6 +314,7 @@ config USB_CONFIGFS_EEM + depends on NET + select USB_U_ETHER + select USB_F_EEM ++ select CRC32 + help + CDC EEM is a newer USB standard that is somewhat simpler than CDC ECM + and therefore can be supported by more hardware. Technically ECM and diff --git a/queue-4.14/usb-serial-iuu_phoenix-fix-dma-from-stack.patch b/queue-4.14/usb-serial-iuu_phoenix-fix-dma-from-stack.patch new file mode 100644 index 00000000000..869eede2758 --- /dev/null +++ b/queue-4.14/usb-serial-iuu_phoenix-fix-dma-from-stack.patch @@ -0,0 +1,76 @@ +From 54d0a3ab80f49f19ee916def62fe067596833403 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 4 Jan 2021 15:50:07 +0100 +Subject: USB: serial: iuu_phoenix: fix DMA from stack + +From: Johan Hovold + +commit 54d0a3ab80f49f19ee916def62fe067596833403 upstream. + +Stack-allocated buffers cannot be used for DMA (on all architectures) so +allocate the flush command buffer using kmalloc(). + +Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver") +Cc: stable # 2.6.25 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/iuu_phoenix.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/iuu_phoenix.c ++++ b/drivers/usb/serial/iuu_phoenix.c +@@ -543,23 +543,29 @@ static int iuu_uart_flush(struct usb_ser + struct device *dev = &port->dev; + int i; + int status; +- u8 rxcmd = IUU_UART_RX; ++ u8 *rxcmd; + struct iuu_private *priv = usb_get_serial_port_data(port); + + if (iuu_led(port, 0xF000, 0, 0, 0xFF) < 0) + return -EIO; + ++ rxcmd = kmalloc(1, GFP_KERNEL); ++ if (!rxcmd) ++ return -ENOMEM; ++ ++ rxcmd[0] = IUU_UART_RX; ++ + for (i = 0; i < 2; i++) { +- status = bulk_immediate(port, &rxcmd, 1); ++ status = bulk_immediate(port, rxcmd, 1); + if (status != IUU_OPERATION_OK) { + dev_dbg(dev, "%s - uart_flush_write error\n", __func__); +- return status; ++ goto out_free; + } + + status = read_immediate(port, &priv->len, 1); + if (status != IUU_OPERATION_OK) { + dev_dbg(dev, "%s - uart_flush_read error\n", __func__); +- return status; ++ goto out_free; + } + + if (priv->len > 0) { +@@ -567,12 +573,16 @@ static int iuu_uart_flush(struct usb_ser + status = read_immediate(port, priv->buf, priv->len); + if (status != IUU_OPERATION_OK) { + dev_dbg(dev, "%s - uart_flush_read error\n", __func__); +- return status; ++ goto out_free; + } + } + } + dev_dbg(dev, "%s - uart_flush_read OK!\n", __func__); + iuu_led(port, 0, 0xF000, 0, 0xFF); ++ ++out_free: ++ kfree(rxcmd); ++ + return status; + } + diff --git a/queue-4.14/usb-serial-keyspan_pda-remove-unused-variable.patch b/queue-4.14/usb-serial-keyspan_pda-remove-unused-variable.patch new file mode 100644 index 00000000000..bc936bf32f8 --- /dev/null +++ b/queue-4.14/usb-serial-keyspan_pda-remove-unused-variable.patch @@ -0,0 +1,34 @@ +From 62218024401fac7dd7c7a6e74b566164d515d922 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 8 Jan 2021 15:55:28 +0100 +Subject: USB: serial: keyspan_pda: remove unused variable + +From: Johan Hovold + +Remove an unused variable which was mistakingly left by commit +37faf5061541 ("USB: serial: keyspan_pda: fix write-wakeup +use-after-free") and only removed by a later change. + +This is needed to suppress a W=1 warning about the unused variable in +the stable trees that the build bots triggers. + +Reported-by: kernel test robot +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/keyspan_pda.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -559,10 +559,8 @@ exit: + static void keyspan_pda_write_bulk_callback(struct urb *urb) + { + struct usb_serial_port *port = urb->context; +- struct keyspan_pda_private *priv; + + set_bit(0, &port->write_urbs_free); +- priv = usb_get_serial_port_data(port); + + /* queue up a wakeup at scheduler time */ + usb_serial_port_softint(port); diff --git a/queue-4.14/usb-serial-option-add-longsung-m5710-module-support.patch b/queue-4.14/usb-serial-option-add-longsung-m5710-module-support.patch new file mode 100644 index 00000000000..daac75daaf7 --- /dev/null +++ b/queue-4.14/usb-serial-option-add-longsung-m5710-module-support.patch @@ -0,0 +1,57 @@ +From 0e2d6795e8dbe91c2f5473564c6b25d11df3778b Mon Sep 17 00:00:00 2001 +From: Daniel Palmer +Date: Sun, 27 Dec 2020 12:17:16 +0900 +Subject: USB: serial: option: add LongSung M5710 module support + +From: Daniel Palmer + +commit 0e2d6795e8dbe91c2f5473564c6b25d11df3778b upstream. + +Add a device-id entry for the LongSung M5710 module. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2df3 ProdID=9d03 Rev= 1.00 +S: Manufacturer=Marvell +S: Product=Mobile Composite Device Bus +S: SerialNumber= +C:* #Ifs= 5 Cfg#= 1 Atr=c0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniel Palmer +https://lore.kernel.org/r/20201227031716.1343300-1-daniel@0x0f.com +[ johan: drop id defines, only bind to vendor class ] +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2059,6 +2059,7 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */ + .driver_info = RSVD(6) }, + { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */ ++ { USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */ + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */ diff --git a/queue-4.14/usb-serial-option-add-quectel-em160r-gl.patch b/queue-4.14/usb-serial-option-add-quectel-em160r-gl.patch new file mode 100644 index 00000000000..d95b70f5bff --- /dev/null +++ b/queue-4.14/usb-serial-option-add-quectel-em160r-gl.patch @@ -0,0 +1,63 @@ +From d6c1ddd938d84a1adef7e19e8efc10e1b4df5034 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 30 Dec 2020 16:25:34 +0100 +Subject: USB: serial: option: add Quectel EM160R-GL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit d6c1ddd938d84a1adef7e19e8efc10e1b4df5034 upstream. + +New modem using ff/ff/30 for QCDM, ff/00/00 for AT and NMEA, +and ff/ff/ff for RMNET/QMI. + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1 +P: Vendor=2c7c ProdID=0620 Rev= 4.09 +S: Manufacturer=Quectel +S: Product=EM160R-GL +S: SerialNumber=e31cedc1 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Bjørn Mork +[ johan: add model comment ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1120,6 +1120,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0620, 0xff, 0xff, 0x30) }, /* EM160R-GL */ ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0620, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x30) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10), diff --git a/queue-4.14/usb-uas-add-pny-usb-portable-ssd-to-unusual_uas.patch b/queue-4.14/usb-uas-add-pny-usb-portable-ssd-to-unusual_uas.patch new file mode 100644 index 00000000000..5be40a2377a --- /dev/null +++ b/queue-4.14/usb-uas-add-pny-usb-portable-ssd-to-unusual_uas.patch @@ -0,0 +1,42 @@ +From 96ebc9c871d8a28fb22aa758dd9188a4732df482 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 4 Jan 2021 20:07:15 -0800 +Subject: usb: uas: Add PNY USB Portable SSD to unusual_uas + +From: Thinh Nguyen + +commit 96ebc9c871d8a28fb22aa758dd9188a4732df482 upstream. + +Here's another variant PNY Pro Elite USB 3.1 Gen 2 portable SSD that +hangs and doesn't respond to ATA_1x pass-through commands. If it doesn't +support these commands, it should respond properly to the host. Add it +to the unusual uas list to be able to move forward with other +operations. + +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Acked-by: Oliver Neukum +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/2edc7af892d0913bf06f5b35e49ec463f03d5ed8.1609819418.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -167,6 +167,13 @@ UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x99 + US_FL_BROKEN_FUA), + + /* Reported-by: Thinh Nguyen */ ++UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999, ++ "PNY", ++ "Pro Elite SSD", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ ++/* Reported-by: Thinh Nguyen */ + UNUSUAL_DEV(0x154b, 0xf00d, 0x0000, 0x9999, + "PNY", + "Pro Elite SSD", diff --git a/queue-4.14/usb-usbip-vhci_hcd-protect-shift-size.patch b/queue-4.14/usb-usbip-vhci_hcd-protect-shift-size.patch new file mode 100644 index 00000000000..6b5b4908c30 --- /dev/null +++ b/queue-4.14/usb-usbip-vhci_hcd-protect-shift-size.patch @@ -0,0 +1,40 @@ +From 718bf42b119de652ebcc93655a1f33a9c0d04b3c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 28 Dec 2020 23:13:09 -0800 +Subject: usb: usbip: vhci_hcd: protect shift size + +From: Randy Dunlap + +commit 718bf42b119de652ebcc93655a1f33a9c0d04b3c upstream. + +Fix shift out-of-bounds in vhci_hcd.c: + + UBSAN: shift-out-of-bounds in ../drivers/usb/usbip/vhci_hcd.c:399:41 + shift exponent 768 is too large for 32-bit type 'int' + +Fixes: 03cd00d538a6 ("usbip: vhci-hcd: Set the vhci structure up to work") +Signed-off-by: Randy Dunlap +Reported-by: syzbot+297d20e437b79283bf6d@syzkaller.appspotmail.com +Cc: Yuyang Du +Cc: Shuah Khan +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Cc: stable +Link: https://lore.kernel.org/r/20201229071309.18418-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vhci_hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -410,6 +410,8 @@ static int vhci_hub_control(struct usb_h + default: + usbip_dbg_vhci_rh(" ClearPortFeature: default %x\n", + wValue); ++ if (wValue >= 32) ++ goto error; + vhci_hcd->port_status[rhport] &= ~(1 << wValue); + break; + } diff --git a/queue-4.14/usb-usblp-fix-dma-to-stack.patch b/queue-4.14/usb-usblp-fix-dma-to-stack.patch new file mode 100644 index 00000000000..f7bff47a2b0 --- /dev/null +++ b/queue-4.14/usb-usblp-fix-dma-to-stack.patch @@ -0,0 +1,58 @@ +From 020a1f453449294926ca548d8d5ca970926e8dfd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 4 Jan 2021 15:53:02 +0100 +Subject: USB: usblp: fix DMA to stack + +From: Johan Hovold + +commit 020a1f453449294926ca548d8d5ca970926e8dfd upstream. + +Stack-allocated buffers cannot be used for DMA (on all architectures). + +Replace the HP-channel macro with a helper function that allocates a +dedicated transfer buffer so that it can continue to be used with +arguments from the stack. + +Note that the buffer is cleared on allocation as usblp_ctrl_msg() +returns success also on short transfers (the buffer is only used for +debugging). + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210104145302.2087-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usblp.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -289,8 +289,25 @@ static int usblp_ctrl_msg(struct usblp * + #define usblp_reset(usblp)\ + usblp_ctrl_msg(usblp, USBLP_REQ_RESET, USB_TYPE_CLASS, USB_DIR_OUT, USB_RECIP_OTHER, 0, NULL, 0) + +-#define usblp_hp_channel_change_request(usblp, channel, buffer) \ +- usblp_ctrl_msg(usblp, USBLP_REQ_HP_CHANNEL_CHANGE_REQUEST, USB_TYPE_VENDOR, USB_DIR_IN, USB_RECIP_INTERFACE, channel, buffer, 1) ++static int usblp_hp_channel_change_request(struct usblp *usblp, int channel, u8 *new_channel) ++{ ++ u8 *buf; ++ int ret; ++ ++ buf = kzalloc(1, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ ret = usblp_ctrl_msg(usblp, USBLP_REQ_HP_CHANNEL_CHANGE_REQUEST, ++ USB_TYPE_VENDOR, USB_DIR_IN, USB_RECIP_INTERFACE, ++ channel, buf, 1); ++ if (ret == 0) ++ *new_channel = buf[0]; ++ ++ kfree(buf); ++ ++ return ret; ++} + + /* + * See the description for usblp_select_alts() below for the usage diff --git a/queue-4.14/usb-xhci-fix-u1-u2-handling-for-hardware-with-xhci_intel_host-quirk-set.patch b/queue-4.14/usb-xhci-fix-u1-u2-handling-for-hardware-with-xhci_intel_host-quirk-set.patch new file mode 100644 index 00000000000..c0f8af0819f --- /dev/null +++ b/queue-4.14/usb-xhci-fix-u1-u2-handling-for-hardware-with-xhci_intel_host-quirk-set.patch @@ -0,0 +1,89 @@ +From 5d5323a6f3625f101dbfa94ba3ef7706cce38760 Mon Sep 17 00:00:00 2001 +From: Michael Grzeschik +Date: Tue, 15 Dec 2020 20:31:47 +0100 +Subject: USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set + +From: Michael Grzeschik + +commit 5d5323a6f3625f101dbfa94ba3ef7706cce38760 upstream. + +The commit 0472bf06c6fd ("xhci: Prevent U1/U2 link pm states if exit +latency is too long") was constraining the xhci code not to allow U1/U2 +sleep states if the latency to wake up from the U-states reached the +service interval of an periodic endpoint. This fix was not taking into +account that in case the quirk XHCI_INTEL_HOST is set, the wakeup time +will be calculated and configured differently. + +It checks for u1_params.mel/u2_params.mel as a limit. But the code could +decide to write another MEL into the hardware. This leads to broken +cases where not enough bandwidth is available for other devices: + +usb 1-2: can't set config #1, error -28 + +This patch is fixing that case by checking for timeout_ns after the +wakeup time was calculated depending on the quirks. + +Fixes: 0472bf06c6fd ("xhci: Prevent U1/U2 link pm states if exit latency is too long") +Signed-off-by: Michael Grzeschik +Cc: stable +Link: https://lore.kernel.org/r/20201215193147.11738-1-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4390,19 +4390,19 @@ static u16 xhci_calculate_u1_timeout(str + { + unsigned long long timeout_ns; + ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc); ++ else ++ timeout_ns = udev->u1_params.sel; ++ + /* Prevent U1 if service interval is shorter than U1 exit latency */ + if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) { +- if (xhci_service_interval_to_ns(desc) <= udev->u1_params.mel) { ++ if (xhci_service_interval_to_ns(desc) <= timeout_ns) { + dev_dbg(&udev->dev, "Disable U1, ESIT shorter than exit latency\n"); + return USB3_LPM_DISABLED; + } + } + +- if (xhci->quirks & XHCI_INTEL_HOST) +- timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc); +- else +- timeout_ns = udev->u1_params.sel; +- + /* The U1 timeout is encoded in 1us intervals. + * Don't return a timeout of zero, because that's USB3_LPM_DISABLED. + */ +@@ -4454,19 +4454,19 @@ static u16 xhci_calculate_u2_timeout(str + { + unsigned long long timeout_ns; + ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc); ++ else ++ timeout_ns = udev->u2_params.sel; ++ + /* Prevent U2 if service interval is shorter than U2 exit latency */ + if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) { +- if (xhci_service_interval_to_ns(desc) <= udev->u2_params.mel) { ++ if (xhci_service_interval_to_ns(desc) <= timeout_ns) { + dev_dbg(&udev->dev, "Disable U2, ESIT shorter than exit latency\n"); + return USB3_LPM_DISABLED; + } + } + +- if (xhci->quirks & XHCI_INTEL_HOST) +- timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc); +- else +- timeout_ns = udev->u2_params.sel; +- + /* The U2 timeout is encoded in 256us intervals */ + timeout_ns = DIV_ROUND_UP_ULL(timeout_ns, 256 * 1000); + /* If the necessary timeout value is bigger than what we can set in the diff --git a/queue-4.14/usb-yurex-fix-control-urb-timeout-handling.patch b/queue-4.14/usb-yurex-fix-control-urb-timeout-handling.patch new file mode 100644 index 00000000000..27ea79bfa2f --- /dev/null +++ b/queue-4.14/usb-yurex-fix-control-urb-timeout-handling.patch @@ -0,0 +1,38 @@ +From 372c93131998c0622304bed118322d2a04489e63 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 14 Dec 2020 11:30:53 +0100 +Subject: USB: yurex: fix control-URB timeout handling + +From: Johan Hovold + +commit 372c93131998c0622304bed118322d2a04489e63 upstream. + +Make sure to always cancel the control URB in write() so that it can be +reused after a timeout or spurious CMD_ACK. + +Currently any further write requests after a timeout would fail after +triggering a WARN() in usb_submit_urb() when attempting to submit the +already active URB. + +Reported-by: syzbot+e87ebe0f7913f71f2ea5@syzkaller.appspotmail.com +Fixes: 6bc235a2e24a ("USB: add driver for Meywa-Denki & Kayac YUREX") +Cc: stable # 2.6.37 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/yurex.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -501,6 +501,9 @@ static ssize_t yurex_write(struct file * + timeout = schedule_timeout(YUREX_WRITE_TIMEOUT); + finish_wait(&dev->waitq, &wait); + ++ /* make sure URB is idle after timeout or (spurious) CMD_ACK */ ++ usb_kill_urb(dev->cntl_urb); ++ + mutex_unlock(&dev->io_mutex); + + if (retval < 0) { diff --git a/queue-4.14/x86-mm-fix-leak-of-pmd-ptlock.patch b/queue-4.14/x86-mm-fix-leak-of-pmd-ptlock.patch new file mode 100644 index 00000000000..7479ec1f409 --- /dev/null +++ b/queue-4.14/x86-mm-fix-leak-of-pmd-ptlock.patch @@ -0,0 +1,85 @@ +From d1c5246e08eb64991001d97a3bd119c93edbc79a Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 2 Dec 2020 22:28:12 -0800 +Subject: x86/mm: Fix leak of pmd ptlock + +From: Dan Williams + +commit d1c5246e08eb64991001d97a3bd119c93edbc79a upstream. + +Commit + + 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") + +introduced a new location where a pmd was released, but neglected to +run the pmd page destructor. In fact, this happened previously for a +different pmd release path and was fixed by commit: + + c283610e44ec ("x86, mm: do not leak page->ptl for pmd page tables"). + +This issue was hidden until recently because the failure mode is silent, +but commit: + + b2b29d6d0119 ("mm: account PMD tables like PTE tables") + +turns the failure mode into this signature: + + BUG: Bad page state in process lt-pmem-ns pfn:15943d + page:000000007262ed7b refcount:0 mapcount:-1024 mapping:0000000000000000 index:0x0 pfn:0x15943d + flags: 0xaffff800000000() + raw: 00affff800000000 dead000000000100 0000000000000000 0000000000000000 + raw: 0000000000000000 ffff913a029bcc08 00000000fffffbff 0000000000000000 + page dumped because: nonzero mapcount + [..] + dump_stack+0x8b/0xb0 + bad_page.cold+0x63/0x94 + free_pcp_prepare+0x224/0x270 + free_unref_page+0x18/0xd0 + pud_free_pmd_page+0x146/0x160 + ioremap_pud_range+0xe3/0x350 + ioremap_page_range+0x108/0x160 + __ioremap_caller.constprop.0+0x174/0x2b0 + ? memremap+0x7a/0x110 + memremap+0x7a/0x110 + devm_memremap+0x53/0xa0 + pmem_attach_disk+0x4ed/0x530 [nd_pmem] + ? __devm_release_region+0x52/0x80 + nvdimm_bus_probe+0x85/0x210 [libnvdimm] + +Given this is a repeat occurrence it seemed prudent to look for other +places where this destructor might be missing and whether a better +helper is needed. try_to_free_pmd_page() looks like a candidate, but +testing with setting up and tearing down pmd mappings via the dax unit +tests is thus far not triggering the failure. + +As for a better helper pmd_free() is close, but it is a messy fit +due to requiring an @mm arg. Also, ___pmd_free_tlb() wants to call +paravirt_tlb_remove_table() instead of free_page(), so open-coded +pgtable_pmd_page_dtor() seems the best way forward for now. + +Debugged together with Matthew Wilcox . + +Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") +Signed-off-by: Dan Williams +Signed-off-by: Borislav Petkov +Tested-by: Yi Zhang +Acked-by: Peter Zijlstra (Intel) +Cc: +Link: https://lkml.kernel.org/r/160697689204.605323.17629854984697045602.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/pgtable.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -765,6 +765,8 @@ int pud_free_pmd_page(pud_t *pud, unsign + } + + free_page((unsigned long)pmd_sv); ++ ++ pgtable_pmd_page_dtor(virt_to_page(pmd)); + free_page((unsigned long)pmd); + + return 1;