From 0ac963c08de72864701a633ecfd8d82b633fa420 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Mar 2021 13:24:42 +0100 Subject: [PATCH] 4.4-stable patches added patches: goodix-fingerprint-device-is-not-a-modem.patch usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch usb-serial-ch341-add-new-product-id.patch usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch usb-serial-cp210x-add-some-more-ge-usb-ids.patch usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch usbip-fix-stub_dev-to-check-for-stream-socket.patch usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch usbip-fix-vhci_hcd-to-check-for-stream-socket.patch xhci-improve-detection-of-device-initiated-wake-signal.patch --- ...ix-fingerprint-device-is-not-a-modem.patch | 41 ++++++ queue-4.4/series | 11 ++ ...nt-max_packet_size-by-one-audio-slot.patch | 48 +++++++ ...or-re-enabling-pipe-with-other-epnum.patch | 47 ++++++ .../usb-serial-ch341-add-new-product-id.patch | 103 ++++++++++++++ ...for-acuity-brands-nlight-air-adapter.patch | 31 ++++ ...rial-cp210x-add-some-more-ge-usb-ids.patch | 31 ++++ ...port-fix-memory-leak-in-edge_startup.patch | 68 +++++++++ ...-stub_dev-to-check-for-stream-socket.patch | 51 +++++++ ...ip_sockfd_store-races-leading-to-gpf.patch | 134 ++++++++++++++++++ ...-vhci_hcd-to-check-for-stream-socket.patch | 42 ++++++ ...tion-of-device-initiated-wake-signal.patch | 69 +++++++++ 12 files changed, 676 insertions(+) create mode 100644 queue-4.4/goodix-fingerprint-device-is-not-a-modem.patch create mode 100644 queue-4.4/usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch create mode 100644 queue-4.4/usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch create mode 100644 queue-4.4/usb-serial-ch341-add-new-product-id.patch create mode 100644 queue-4.4/usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch create mode 100644 queue-4.4/usb-serial-cp210x-add-some-more-ge-usb-ids.patch create mode 100644 queue-4.4/usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch create mode 100644 queue-4.4/usbip-fix-stub_dev-to-check-for-stream-socket.patch create mode 100644 queue-4.4/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch create mode 100644 queue-4.4/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch create mode 100644 queue-4.4/xhci-improve-detection-of-device-initiated-wake-signal.patch diff --git a/queue-4.4/goodix-fingerprint-device-is-not-a-modem.patch b/queue-4.4/goodix-fingerprint-device-is-not-a-modem.patch new file mode 100644 index 00000000000..416e9211bad --- /dev/null +++ b/queue-4.4/goodix-fingerprint-device-is-not-a-modem.patch @@ -0,0 +1,41 @@ +From 4d8654e81db7346f915eca9f1aff18f385cab621 Mon Sep 17 00:00:00 2001 +From: Yorick de Wid +Date: Sat, 13 Feb 2021 15:49:02 +0100 +Subject: Goodix Fingerprint device is not a modem + +From: Yorick de Wid + +commit 4d8654e81db7346f915eca9f1aff18f385cab621 upstream. + +The CDC ACM driver is false matching the Goodix Fingerprint device +against the USB_CDC_ACM_PROTO_AT_V25TER. + +The Goodix Fingerprint device is a biometrics sensor that should be +handled in user-space. libfprint has some support for Goodix +fingerprint sensors, although not for this particular one. It is +possible that the vendor allocates a PID per OEM (Lenovo, Dell etc). +If this happens to be the case then more devices from the same vendor +could potentially match the ACM modem module table. + +Signed-off-by: Yorick de Wid +Cc: stable +Link: https://lore.kernel.org/r/20210213144901.53199-1-ydewid@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1928,6 +1928,11 @@ static const struct usb_device_id acm_id + .driver_info = SEND_ZERO_PACKET, + }, + ++ /* Exclude Goodix Fingerprint Reader */ ++ { USB_DEVICE(0x27c6, 0x5395), ++ .driver_info = IGNORE_DEVICE, ++ }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, diff --git a/queue-4.4/series b/queue-4.4/series index 12d2c8c2185..cbda169f0a2 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -29,3 +29,14 @@ s390-dasd-fix-hanging-dasd-driver-unbind.patch mmc-core-fix-partition-switch-time-for-emmc.patch scripts-recordmcount.-c-pl-support-ffunction-sections-.text.-section-names.patch libertas-fix-a-potential-null-pointer-dereference.patch +goodix-fingerprint-device-is-not-a-modem.patch +usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch +usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch +xhci-improve-detection-of-device-initiated-wake-signal.patch +usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch +usb-serial-ch341-add-new-product-id.patch +usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch +usb-serial-cp210x-add-some-more-ge-usb-ids.patch +usbip-fix-stub_dev-to-check-for-stream-socket.patch +usbip-fix-vhci_hcd-to-check-for-stream-socket.patch +usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch diff --git a/queue-4.4/usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch b/queue-4.4/usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch new file mode 100644 index 00000000000..111dcea08c5 --- /dev/null +++ b/queue-4.4/usb-gadget-f_uac2-always-increase-endpoint-max_packet_size-by-one-audio-slot.patch @@ -0,0 +1,48 @@ +From 789ea77310f0200c84002884ffd628e2baf3ad8a Mon Sep 17 00:00:00 2001 +From: Ruslan Bilovol +Date: Mon, 1 Mar 2021 13:49:31 +0200 +Subject: usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot + +From: Ruslan Bilovol + +commit 789ea77310f0200c84002884ffd628e2baf3ad8a upstream. + +As per UAC2 Audio Data Formats spec (2.3.1.1 USB Packets), +if the sampling rate is a constant, the allowable variation +of number of audio slots per virtual frame is +/- 1 audio slot. + +It means that endpoint should be able to accept/send +1 audio +slot. + +Previous endpoint max_packet_size calculation code +was adding sometimes +1 audio slot due to DIV_ROUND_UP +behaviour which was rounding up to closest integer. +However this doesn't work if the numbers are divisible. + +It had no any impact with Linux hosts which ignore +this issue, but in case of more strict Windows it +caused rejected enumeration + +Thus always add +1 audio slot to endpoint's max packet size + +Fixes: 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth") +Cc: Peter Chen +Cc: #v4.3+ +Signed-off-by: Ruslan Bilovol +Link: https://lore.kernel.org/r/1614599375-8803-2-git-send-email-ruslan.bilovol@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -997,7 +997,7 @@ static int set_ep_max_packet_size(const + } + + max_size_bw = num_channels(chmask) * ssize * +- DIV_ROUND_UP(srate, factor / (1 << (ep_desc->bInterval - 1))); ++ ((srate / (factor / (1 << (ep_desc->bInterval - 1)))) + 1); + ep_desc->wMaxPacketSize = cpu_to_le16(min_t(u16, max_size_bw, + max_size_ep)); + diff --git a/queue-4.4/usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch b/queue-4.4/usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch new file mode 100644 index 00000000000..6c65161dc0e --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-clear-pipecfg-for-re-enabling-pipe-with-other-epnum.patch @@ -0,0 +1,47 @@ +From b1d25e6ee57c2605845595b6c61340d734253eb3 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 8 Mar 2021 10:55:38 +0900 +Subject: usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM + +From: Yoshihiro Shimoda + +commit b1d25e6ee57c2605845595b6c61340d734253eb3 upstream. + +According to the datasheet, this controller has a restriction +which "set an endpoint number so that combinations of the DIR bit and +the EPNUM bits do not overlap.". However, since the udc core driver is +possible to assign a bulk pipe as an interrupt endpoint, an endpoint +number may not match the pipe number. After that, when user rebinds +another gadget driver, this driver broke the restriction because +the driver didn't clear any configuration in usb_ep_disable(). + +Example: + # modprobe g_ncm + Then, EP3 = pipe 3, EP4 = pipe 4, EP5 = pipe 6 + # rmmod g_ncm + # modprobe g_hid + Then, EP3 = pipe 6, EP4 = pipe 7. + So, pipe 3 and pipe 6 are set as EP3. + +So, clear PIPECFG register in usbhs_pipe_free(). + +Fixes: dfb87b8bfe09 ("usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting") +Cc: stable +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1615168538-26101-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/renesas_usbhs/pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/renesas_usbhs/pipe.c ++++ b/drivers/usb/renesas_usbhs/pipe.c +@@ -805,6 +805,8 @@ struct usbhs_pipe *usbhs_pipe_malloc(str + + void usbhs_pipe_free(struct usbhs_pipe *pipe) + { ++ usbhsp_pipe_select(pipe); ++ usbhsp_pipe_cfg_set(pipe, 0xFFFF, 0); + usbhsp_put_pipe(pipe); + } + diff --git a/queue-4.4/usb-serial-ch341-add-new-product-id.patch b/queue-4.4/usb-serial-ch341-add-new-product-id.patch new file mode 100644 index 00000000000..1ad01d5e912 --- /dev/null +++ b/queue-4.4/usb-serial-ch341-add-new-product-id.patch @@ -0,0 +1,103 @@ +From 5563b3b6420362c8a1f468ca04afe6d5f0a8d0a3 Mon Sep 17 00:00:00 2001 +From: Niv Sardi +Date: Mon, 1 Mar 2021 17:16:12 -0300 +Subject: USB: serial: ch341: add new Product ID + +From: Niv Sardi + +commit 5563b3b6420362c8a1f468ca04afe6d5f0a8d0a3 upstream. + +Add PID for CH340 that's found on cheap programmers. + +The driver works flawlessly as soon as the new PID (0x9986) is added to it. +These look like ANU232MI but ship with a ch341 inside. They have no special +identifiers (mine only has the string "DB9D20130716" printed on the PCB and +nothing identifiable on the packaging. The merchant i bought it from +doesn't sell these anymore). + +the lsusb -v output is: +Bus 001 Device 009: ID 9986:7523 +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 1.10 + bDeviceClass 255 Vendor Specific Class + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 8 + idVendor 0x9986 + idProduct 0x7523 + bcdDevice 2.54 + iManufacturer 0 + iProduct 0 + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0027 + bNumInterfaces 1 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 96mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 1 + bInterfaceProtocol 2 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0020 1x 32 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0020 1x 32 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0008 1x 8 bytes + bInterval 1 + +Signed-off-by: Niv Sardi +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ch341.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -75,6 +75,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1a86, 0x7522) }, + { USB_DEVICE(0x1a86, 0x7523) }, + { USB_DEVICE(0x4348, 0x5523) }, ++ { USB_DEVICE(0x9986, 0x7523) }, + { }, + }; + MODULE_DEVICE_TABLE(usb, id_table); diff --git a/queue-4.4/usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch b/queue-4.4/usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch new file mode 100644 index 00000000000..422a568e407 --- /dev/null +++ b/queue-4.4/usb-serial-cp210x-add-id-for-acuity-brands-nlight-air-adapter.patch @@ -0,0 +1,31 @@ +From ca667a33207daeaf9c62b106815728718def60ec Mon Sep 17 00:00:00 2001 +From: Karan Singhal +Date: Tue, 16 Feb 2021 11:03:10 -0500 +Subject: USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter + +From: Karan Singhal + +commit ca667a33207daeaf9c62b106815728718def60ec upstream. + +IDs of nLight Air Adapter, Acuity Brands, Inc.: +vid: 10c4 +pid: 88d8 + +Signed-off-by: Karan Singhal +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -142,6 +142,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */ + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ ++ { USB_DEVICE(0x10C4, 0x88D8) }, /* Acuity Brands nLight Air Adapter */ + { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */ + { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */ + { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ diff --git a/queue-4.4/usb-serial-cp210x-add-some-more-ge-usb-ids.patch b/queue-4.4/usb-serial-cp210x-add-some-more-ge-usb-ids.patch new file mode 100644 index 00000000000..f21f6df6c50 --- /dev/null +++ b/queue-4.4/usb-serial-cp210x-add-some-more-ge-usb-ids.patch @@ -0,0 +1,31 @@ +From 42213a0190b535093a604945db05a4225bf43885 Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Tue, 23 Feb 2021 17:44:18 +0100 +Subject: USB: serial: cp210x: add some more GE USB IDs + +From: Sebastian Reichel + +commit 42213a0190b535093a604945db05a4225bf43885 upstream. + +GE CS1000 has some more custom USB IDs for CP2102N; add them +to the driver to have working auto-probing. + +Signed-off-by: Sebastian Reichel +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -199,6 +199,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ + { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */ + { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */ ++ { USB_DEVICE(0x1901, 0x0197) }, /* GE CS1000 Display serial interface */ ++ { USB_DEVICE(0x1901, 0x0198) }, /* GE CS1000 M.2 Key E serial interface */ + { USB_DEVICE(0x199B, 0xBA30) }, /* LORD WSDA-200-USB */ + { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ diff --git a/queue-4.4/usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch b/queue-4.4/usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch new file mode 100644 index 00000000000..183183834fb --- /dev/null +++ b/queue-4.4/usb-serial-io_edgeport-fix-memory-leak-in-edge_startup.patch @@ -0,0 +1,68 @@ +From cfdc67acc785e01a8719eeb7012709d245564701 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 2 Mar 2021 02:01:52 +0300 +Subject: USB: serial: io_edgeport: fix memory leak in edge_startup + +From: Pavel Skripkin + +commit cfdc67acc785e01a8719eeb7012709d245564701 upstream. + +sysbot found memory leak in edge_startup(). +The problem was that when an error was received from the usb_submit_urb(), +nothing was cleaned up. + +Reported-by: syzbot+59f777bdcbdd7eea5305@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Cc: stable@vger.kernel.org # 2.6.21: c5c0c55598ce +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/io_edgeport.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2966,26 +2966,32 @@ static int edge_startup(struct usb_seria + response = -ENODEV; + } + +- usb_free_urb(edge_serial->interrupt_read_urb); +- kfree(edge_serial->interrupt_in_buffer); +- +- usb_free_urb(edge_serial->read_urb); +- kfree(edge_serial->bulk_in_buffer); +- +- kfree(edge_serial); +- +- return response; ++ goto error; + } + + /* start interrupt read for this edgeport this interrupt will + * continue as long as the edgeport is connected */ + response = usb_submit_urb(edge_serial->interrupt_read_urb, + GFP_KERNEL); +- if (response) ++ if (response) { + dev_err(ddev, "%s - Error %d submitting control urb\n", + __func__, response); ++ ++ goto error; ++ } + } + return response; ++ ++error: ++ usb_free_urb(edge_serial->interrupt_read_urb); ++ kfree(edge_serial->interrupt_in_buffer); ++ ++ usb_free_urb(edge_serial->read_urb); ++ kfree(edge_serial->bulk_in_buffer); ++ ++ kfree(edge_serial); ++ ++ return response; + } + + diff --git a/queue-4.4/usbip-fix-stub_dev-to-check-for-stream-socket.patch b/queue-4.4/usbip-fix-stub_dev-to-check-for-stream-socket.patch new file mode 100644 index 00000000000..d36b8d512ff --- /dev/null +++ b/queue-4.4/usbip-fix-stub_dev-to-check-for-stream-socket.patch @@ -0,0 +1,51 @@ +From 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Sun, 7 Mar 2021 20:53:26 -0700 +Subject: usbip: fix stub_dev to check for stream socket + +From: Shuah Khan + +commit 47ccc8fc2c9c94558b27b6f9e2582df32d29e6e8 upstream. + +Fix usbip_sockfd_store() to validate the passed in file descriptor is +a stream socket. If the file descriptor passed was a SOCK_DGRAM socket, +sock_recvmsg() can't detect end of stream. + +Cc: stable@vger.kernel.org +Suggested-by: Tetsuo Handa +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/e942d2bd03afb8e8552bd2a5d84e18d17670d521.1615171203.git.skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/stub_dev.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -83,8 +83,16 @@ static ssize_t store_sockfd(struct devic + } + + socket = sockfd_lookup(sockfd, &err); +- if (!socket) ++ if (!socket) { ++ dev_err(dev, "failed to lookup sock"); + goto err; ++ } ++ ++ if (socket->type != SOCK_STREAM) { ++ dev_err(dev, "Expecting SOCK_STREAM - found %d", ++ socket->type); ++ goto sock_err; ++ } + + sdev->ud.tcp_socket = socket; + sdev->ud.sockfd = sockfd; +@@ -114,6 +122,8 @@ static ssize_t store_sockfd(struct devic + + return count; + ++sock_err: ++ sockfd_put(socket); + err: + spin_unlock_irq(&sdev->ud.lock); + return -EINVAL; diff --git a/queue-4.4/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch b/queue-4.4/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch new file mode 100644 index 00000000000..0251d5d3f06 --- /dev/null +++ b/queue-4.4/usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch @@ -0,0 +1,134 @@ +From 9380afd6df70e24eacbdbde33afc6a3950965d22 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Sun, 7 Mar 2021 20:53:29 -0700 +Subject: usbip: fix stub_dev usbip_sockfd_store() races leading to gpf + +From: Shuah Khan + +commit 9380afd6df70e24eacbdbde33afc6a3950965d22 upstream. + +usbip_sockfd_store() is invoked when user requests attach (import) +detach (unimport) usb device from usbip host. vhci_hcd sends import +request and usbip_sockfd_store() exports the device if it is free +for export. + +Export and unexport are governed by local state and shared state +- Shared state (usbip device status, sockfd) - sockfd and Device + status are used to determine if stub should be brought up or shut + down. +- Local state (tcp_socket, rx and tx thread task_struct ptrs) + A valid tcp_socket controls rx and tx thread operations while the + device is in exported state. +- While the device is exported, device status is marked used and socket, + sockfd, and thread pointers are valid. + +Export sequence (stub-up) includes validating the socket and creating +receive (rx) and transmit (tx) threads to talk to the client to provide +access to the exported device. rx and tx threads depends on local and +shared state to be correct and in sync. + +Unexport (stub-down) sequence shuts the socket down and stops the rx and +tx threads. Stub-down sequence relies on local and shared states to be +in sync. + +There are races in updating the local and shared status in the current +stub-up sequence resulting in crashes. These stem from starting rx and +tx threads before local and global state is updated correctly to be in +sync. + +1. Doesn't handle kthread_create() error and saves invalid ptr in local + state that drives rx and tx threads. +2. Updates tcp_socket and sockfd, starts stub_rx and stub_tx threads + before updating usbip_device status to SDEV_ST_USED. This opens up a + race condition between the threads and usbip_sockfd_store() stub up + and down handling. + +Fix the above problems: +- Stop using kthread_get_run() macro to create/start threads. +- Create threads and get task struct reference. +- Add kthread_create() failure handling and bail out. +- Hold usbip_device lock to update local and shared states after + creating rx and tx threads. +- Update usbip_device status to SDEV_ST_USED. +- Update usbip_device tcp_socket, sockfd, tcp_rx, and tcp_tx +- Start threads after usbip_device (tcp_socket, sockfd, tcp_rx, tcp_tx, + and status) is complete. + +Credit goes to syzbot and Tetsuo Handa for finding and root-causing the +kthread_get_run() improper error handling problem and others. This is a +hard problem to find and debug since the races aren't seen in a normal +case. Fuzzing forces the race window to be small enough for the +kthread_get_run() error path bug and starting threads before updating the +local and shared state bug in the stub-up sequence. + +Tested with syzbot reproducer: +- https://syzkaller.appspot.com/text?tag=ReproC&x=14801034d00000 + +Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread") +Cc: stable@vger.kernel.org +Reported-by: syzbot +Reported-by: syzbot +Reported-by: syzbot +Reported-by: Tetsuo Handa +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/268a0668144d5ff36ec7d87fdfa90faf583b7ccc.1615171203.git.skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/stub_dev.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -60,6 +60,8 @@ static ssize_t store_sockfd(struct devic + int sockfd = 0; + struct socket *socket; + int rv; ++ struct task_struct *tcp_rx = NULL; ++ struct task_struct *tcp_tx = NULL; + + if (!sdev) { + dev_err(dev, "sdev is null\n"); +@@ -94,20 +96,36 @@ static ssize_t store_sockfd(struct devic + goto sock_err; + } + +- sdev->ud.tcp_socket = socket; +- sdev->ud.sockfd = sockfd; +- ++ /* unlock and create threads and get tasks */ + spin_unlock_irq(&sdev->ud.lock); ++ tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx"); ++ if (IS_ERR(tcp_rx)) { ++ sockfd_put(socket); ++ return -EINVAL; ++ } ++ tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx"); ++ if (IS_ERR(tcp_tx)) { ++ kthread_stop(tcp_rx); ++ sockfd_put(socket); ++ return -EINVAL; ++ } + +- sdev->ud.tcp_rx = kthread_get_run(stub_rx_loop, &sdev->ud, +- "stub_rx"); +- sdev->ud.tcp_tx = kthread_get_run(stub_tx_loop, &sdev->ud, +- "stub_tx"); ++ /* get task structs now */ ++ get_task_struct(tcp_rx); ++ get_task_struct(tcp_tx); + ++ /* lock and update sdev->ud state */ + spin_lock_irq(&sdev->ud.lock); ++ sdev->ud.tcp_socket = socket; ++ sdev->ud.sockfd = sockfd; ++ sdev->ud.tcp_rx = tcp_rx; ++ sdev->ud.tcp_tx = tcp_tx; + sdev->ud.status = SDEV_ST_USED; + spin_unlock_irq(&sdev->ud.lock); + ++ wake_up_process(sdev->ud.tcp_rx); ++ wake_up_process(sdev->ud.tcp_tx); ++ + } else { + dev_info(dev, "stub down\n"); + diff --git a/queue-4.4/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch b/queue-4.4/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch new file mode 100644 index 00000000000..4a14bbc6bfc --- /dev/null +++ b/queue-4.4/usbip-fix-vhci_hcd-to-check-for-stream-socket.patch @@ -0,0 +1,42 @@ +From f55a0571690c4aae03180e001522538c0927432f Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Sun, 7 Mar 2021 20:53:27 -0700 +Subject: usbip: fix vhci_hcd to check for stream socket + +From: Shuah Khan + +commit f55a0571690c4aae03180e001522538c0927432f upstream. + +Fix attach_store() to validate the passed in file descriptor is a +stream socket. If the file descriptor passed was a SOCK_DGRAM socket, +sock_recvmsg() can't detect end of stream. + +Cc: stable@vger.kernel.org +Suggested-by: Tetsuo Handa +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/52712aa308915bda02cece1589e04ee8b401d1f3.1615171203.git.skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vhci_sysfs.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -202,8 +202,16 @@ static ssize_t store_attach(struct devic + + /* Extract socket from fd. */ + socket = sockfd_lookup(sockfd, &err); +- if (!socket) ++ if (!socket) { ++ dev_err(dev, "failed to lookup sock"); + return -EINVAL; ++ } ++ if (socket->type != SOCK_STREAM) { ++ dev_err(dev, "Expecting SOCK_STREAM - found %d", ++ socket->type); ++ sockfd_put(socket); ++ return -EINVAL; ++ } + + /* now need lock until setting vdev status as used */ + diff --git a/queue-4.4/xhci-improve-detection-of-device-initiated-wake-signal.patch b/queue-4.4/xhci-improve-detection-of-device-initiated-wake-signal.patch new file mode 100644 index 00000000000..36fffb34f68 --- /dev/null +++ b/queue-4.4/xhci-improve-detection-of-device-initiated-wake-signal.patch @@ -0,0 +1,69 @@ +From 253f588c70f66184b1f3a9bbb428b49bbda73e80 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 11 Mar 2021 13:53:51 +0200 +Subject: xhci: Improve detection of device initiated wake signal. + +From: Mathias Nyman + +commit 253f588c70f66184b1f3a9bbb428b49bbda73e80 upstream. + +A xHC USB 3 port might miss the first wake signal from a USB 3 device +if the port LFPS reveiver isn't enabled fast enough after xHC resume. + +xHC host will anyway be resumed by a PME# signal, but will go back to +suspend if no port activity is seen. +The device resends the U3 LFPS wake signal after a 100ms delay, but +by then host is already suspended, starting all over from the +beginning of this issue. + +USB 3 specs say U3 wake LFPS signal is sent for max 10ms, then device +needs to delay 100ms before resending the wake. + +Don't suspend immediately if port activity isn't detected in resume. +Instead add a retry. If there is no port activity then delay for 120ms, +and re-check for port activity. + +Cc: +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210311115353.2137560-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1018,6 +1018,7 @@ int xhci_resume(struct xhci_hcd *xhci, b + struct usb_hcd *secondary_hcd; + int retval = 0; + bool comp_timer_running = false; ++ bool pending_portevent = false; + + if (!hcd->state) + return 0; +@@ -1151,13 +1152,22 @@ int xhci_resume(struct xhci_hcd *xhci, b + + done: + if (retval == 0) { +- /* Resume root hubs only when have pending events. */ +- if (xhci_pending_portevent(xhci)) { ++ /* ++ * Resume roothubs only if there are pending events. ++ * USB 3 devices resend U3 LFPS wake after a 100ms delay if ++ * the first wake signalling failed, give it that chance. ++ */ ++ pending_portevent = xhci_pending_portevent(xhci); ++ if (!pending_portevent) { ++ msleep(120); ++ pending_portevent = xhci_pending_portevent(xhci); ++ } ++ ++ if (pending_portevent) { + usb_hcd_resume_root_hub(xhci->shared_hcd); + usb_hcd_resume_root_hub(hcd); + } + } +- + /* + * If system is subject to the Quirk, Compliance Mode Timer needs to + * be re-initialized Always after a system resume. Ports are subject -- 2.47.3