From 48c3ce9197010c008e5a7f4f9638c641e065d802 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Jul 2024 16:03:55 +0200 Subject: [PATCH] 5.10-stable patches added patches: iio-adc-ad7266-fix-variable-checking-bug.patch iio-chemical-bme680-fix-calibration-data-variable.patch iio-chemical-bme680-fix-overflows-in-compensate-functions.patch iio-chemical-bme680-fix-pressure-value-output.patch iio-chemical-bme680-fix-sensor-data-read-operation.patch net-usb-ax88179_178a-improve-link-status-logs.patch usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch usb-gadget-printer-fix-races-against-disable.patch usb-gadget-printer-ss-support.patch usb-musb-da8xx-fix-a-resource-leak-in-probe.patch --- ...adc-ad7266-fix-variable-checking-bug.patch | 33 +++++ ...bme680-fix-calibration-data-variable.patch | 35 +++++ ...ix-overflows-in-compensate-functions.patch | 72 +++++++++ ...cal-bme680-fix-pressure-value-output.patch | 38 +++++ ...me680-fix-sensor-data-read-operation.patch | 138 +++++++++++++++++ ...x88179_178a-improve-link-status-logs.patch | 57 +++++++ queue-5.10/series | 10 ++ ...fix-endpoint-checking-in-cxacru_bind.patch | 88 +++++++++++ ...et-printer-fix-races-against-disable.patch | 140 ++++++++++++++++++ .../usb-gadget-printer-ss-support.patch | 30 ++++ ...b-da8xx-fix-a-resource-leak-in-probe.patch | 46 ++++++ 11 files changed, 687 insertions(+) create mode 100644 queue-5.10/iio-adc-ad7266-fix-variable-checking-bug.patch create mode 100644 queue-5.10/iio-chemical-bme680-fix-calibration-data-variable.patch create mode 100644 queue-5.10/iio-chemical-bme680-fix-overflows-in-compensate-functions.patch create mode 100644 queue-5.10/iio-chemical-bme680-fix-pressure-value-output.patch create mode 100644 queue-5.10/iio-chemical-bme680-fix-sensor-data-read-operation.patch create mode 100644 queue-5.10/net-usb-ax88179_178a-improve-link-status-logs.patch create mode 100644 queue-5.10/usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch create mode 100644 queue-5.10/usb-gadget-printer-fix-races-against-disable.patch create mode 100644 queue-5.10/usb-gadget-printer-ss-support.patch create mode 100644 queue-5.10/usb-musb-da8xx-fix-a-resource-leak-in-probe.patch diff --git a/queue-5.10/iio-adc-ad7266-fix-variable-checking-bug.patch b/queue-5.10/iio-adc-ad7266-fix-variable-checking-bug.patch new file mode 100644 index 00000000000..c27451271a1 --- /dev/null +++ b/queue-5.10/iio-adc-ad7266-fix-variable-checking-bug.patch @@ -0,0 +1,33 @@ +From a2b86132955268b2a1703082fbc2d4832fc001b8 Mon Sep 17 00:00:00 2001 +From: Fernando Yang +Date: Mon, 3 Jun 2024 15:07:54 -0300 +Subject: iio: adc: ad7266: Fix variable checking bug + +From: Fernando Yang + +commit a2b86132955268b2a1703082fbc2d4832fc001b8 upstream. + +The ret variable was not checked after iio_device_release_direct_mode(), +which could possibly cause errors + +Fixes: c70df20e3159 ("iio: adc: ad7266: claim direct mode during sensor read") +Signed-off-by: Fernando Yang +Link: https://lore.kernel.org/r/20240603180757.8560-1-hagisf@usp.br +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7266.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/ad7266.c ++++ b/drivers/iio/adc/ad7266.c +@@ -157,6 +157,8 @@ static int ad7266_read_raw(struct iio_de + ret = ad7266_read_single(st, val, chan->address); + iio_device_release_direct_mode(indio_dev); + ++ if (ret < 0) ++ return ret; + *val = (*val >> 2) & 0xfff; + if (chan->scan_type.sign == 's') + *val = sign_extend32(*val, 11); diff --git a/queue-5.10/iio-chemical-bme680-fix-calibration-data-variable.patch b/queue-5.10/iio-chemical-bme680-fix-calibration-data-variable.patch new file mode 100644 index 00000000000..0c4821a8097 --- /dev/null +++ b/queue-5.10/iio-chemical-bme680-fix-calibration-data-variable.patch @@ -0,0 +1,35 @@ +From b47c0fee73a810c4503c4a94ea34858a1d865bba Mon Sep 17 00:00:00 2001 +From: Vasileios Amoiridis +Date: Thu, 6 Jun 2024 23:22:54 +0200 +Subject: iio: chemical: bme680: Fix calibration data variable + +From: Vasileios Amoiridis + +commit b47c0fee73a810c4503c4a94ea34858a1d865bba upstream. + +According to the BME68x Sensor API [1], the h6 calibration +data variable should be an unsigned integer of size 8. + +[1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L789 + +Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor") +Signed-off-by: Vasileios Amoiridis +Link: https://lore.kernel.org/r/20240606212313.207550-3-vassilisamir@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/bme680_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -38,7 +38,7 @@ struct bme680_calib { + s8 par_h3; + s8 par_h4; + s8 par_h5; +- s8 par_h6; ++ u8 par_h6; + s8 par_h7; + s8 par_gh1; + s16 par_gh2; diff --git a/queue-5.10/iio-chemical-bme680-fix-overflows-in-compensate-functions.patch b/queue-5.10/iio-chemical-bme680-fix-overflows-in-compensate-functions.patch new file mode 100644 index 00000000000..53b57d31f08 --- /dev/null +++ b/queue-5.10/iio-chemical-bme680-fix-overflows-in-compensate-functions.patch @@ -0,0 +1,72 @@ +From fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8 Mon Sep 17 00:00:00 2001 +From: Vasileios Amoiridis +Date: Thu, 6 Jun 2024 23:22:55 +0200 +Subject: iio: chemical: bme680: Fix overflows in compensate() functions + +From: Vasileios Amoiridis + +commit fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8 upstream. + +There are cases in the compensate functions of the driver that +there could be overflows of variables due to bit shifting ops. +These implications were initially discussed here [1] and they +were mentioned in log message of Commit 1b3bd8592780 ("iio: +chemical: Add support for Bosch BME680 sensor"). + +[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/ + +Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor") +Signed-off-by: Vasileios Amoiridis +Link: https://lore.kernel.org/r/20240606212313.207550-4-vassilisamir@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/bme680_core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -342,10 +342,10 @@ static s16 bme680_compensate_temp(struct + if (!calib->par_t2) + bme680_read_calib(data, calib); + +- var1 = (adc_temp >> 3) - (calib->par_t1 << 1); ++ var1 = (adc_temp >> 3) - ((s32)calib->par_t1 << 1); + var2 = (var1 * calib->par_t2) >> 11; + var3 = ((var1 >> 1) * (var1 >> 1)) >> 12; +- var3 = (var3 * (calib->par_t3 << 4)) >> 14; ++ var3 = (var3 * ((s32)calib->par_t3 << 4)) >> 14; + data->t_fine = var2 + var3; + calc_temp = (data->t_fine * 5 + 128) >> 8; + +@@ -368,9 +368,9 @@ static u32 bme680_compensate_press(struc + var1 = (data->t_fine >> 1) - 64000; + var2 = ((((var1 >> 2) * (var1 >> 2)) >> 11) * calib->par_p6) >> 2; + var2 = var2 + (var1 * calib->par_p5 << 1); +- var2 = (var2 >> 2) + (calib->par_p4 << 16); ++ var2 = (var2 >> 2) + ((s32)calib->par_p4 << 16); + var1 = (((((var1 >> 2) * (var1 >> 2)) >> 13) * +- (calib->par_p3 << 5)) >> 3) + ++ ((s32)calib->par_p3 << 5)) >> 3) + + ((calib->par_p2 * var1) >> 1); + var1 = var1 >> 18; + var1 = ((32768 + var1) * calib->par_p1) >> 15; +@@ -388,7 +388,7 @@ static u32 bme680_compensate_press(struc + var3 = ((press_comp >> 8) * (press_comp >> 8) * + (press_comp >> 8) * calib->par_p10) >> 17; + +- press_comp += (var1 + var2 + var3 + (calib->par_p7 << 7)) >> 4; ++ press_comp += (var1 + var2 + var3 + ((s32)calib->par_p7 << 7)) >> 4; + + return press_comp; + } +@@ -414,7 +414,7 @@ static u32 bme680_compensate_humid(struc + (((temp_scaled * ((temp_scaled * calib->par_h5) / 100)) + >> 6) / 100) + (1 << 14))) >> 10; + var3 = var1 * var2; +- var4 = calib->par_h6 << 7; ++ var4 = (s32)calib->par_h6 << 7; + var4 = (var4 + ((temp_scaled * calib->par_h7) / 100)) >> 4; + var5 = ((var3 >> 14) * (var3 >> 14)) >> 10; + var6 = (var4 * var5) >> 1; diff --git a/queue-5.10/iio-chemical-bme680-fix-pressure-value-output.patch b/queue-5.10/iio-chemical-bme680-fix-pressure-value-output.patch new file mode 100644 index 00000000000..795c29509d9 --- /dev/null +++ b/queue-5.10/iio-chemical-bme680-fix-pressure-value-output.patch @@ -0,0 +1,38 @@ +From ae1f7b93b52095be6776d0f34957b4f35dda44d9 Mon Sep 17 00:00:00 2001 +From: Vasileios Amoiridis +Date: Thu, 6 Jun 2024 23:22:53 +0200 +Subject: iio: chemical: bme680: Fix pressure value output + +From: Vasileios Amoiridis + +commit ae1f7b93b52095be6776d0f34957b4f35dda44d9 upstream. + +The IIO standard units are measured in kPa while the driver +is using hPa. + +Apart from checking the userspace value itself, it is mentioned also +in the Bosch API [1] that the pressure value is in Pascal. + +[1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L742 + +Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor") +Signed-off-by: Vasileios Amoiridis +Link: https://lore.kernel.org/r/20240606212313.207550-2-vassilisamir@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/bme680_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -678,7 +678,7 @@ static int bme680_read_press(struct bme6 + } + + *val = bme680_compensate_press(data, adc_press); +- *val2 = 100; ++ *val2 = 1000; + return IIO_VAL_FRACTIONAL; + } + diff --git a/queue-5.10/iio-chemical-bme680-fix-sensor-data-read-operation.patch b/queue-5.10/iio-chemical-bme680-fix-sensor-data-read-operation.patch new file mode 100644 index 00000000000..c322746a901 --- /dev/null +++ b/queue-5.10/iio-chemical-bme680-fix-sensor-data-read-operation.patch @@ -0,0 +1,138 @@ +From 4241665e6ea063a9c1d734de790121a71db763fc Mon Sep 17 00:00:00 2001 +From: Vasileios Amoiridis +Date: Thu, 6 Jun 2024 23:22:56 +0200 +Subject: iio: chemical: bme680: Fix sensor data read operation + +From: Vasileios Amoiridis + +commit 4241665e6ea063a9c1d734de790121a71db763fc upstream. + +A read operation is happening as follows: + +a) Set sensor to forced mode +b) Sensor measures values and update data registers and sleeps again +c) Read data registers + +In the current implementation the read operation happens immediately +after the sensor is set to forced mode so the sensor does not have +the time to update properly the registers. This leads to the following +2 problems: + +1) The first ever value which is read by the register is always wrong +2) Every read operation, puts the register into forced mode and reads +the data that were calculated in the previous conversion. + +This behaviour was tested in 2 ways: + +1) The internal meas_status_0 register was read before and after every +read operation in order to verify that the data were ready even before +the register was set to forced mode and also to check that after the +forced mode was set the new data were not yet ready. + +2) Physically changing the temperature and measuring the temperature + +This commit adds the waiting time in between the set of the forced mode +and the read of the data. The function is taken from the Bosch BME68x +Sensor API [1]. + +[1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L490 + +Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor") +Signed-off-by: Vasileios Amoiridis +Link: https://lore.kernel.org/r/20240606212313.207550-5-vassilisamir@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/bme680.h | 2 + + drivers/iio/chemical/bme680_core.c | 46 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 48 insertions(+) + +--- a/drivers/iio/chemical/bme680.h ++++ b/drivers/iio/chemical/bme680.h +@@ -54,7 +54,9 @@ + #define BME680_NB_CONV_MASK GENMASK(3, 0) + + #define BME680_REG_MEAS_STAT_0 0x1D ++#define BME680_NEW_DATA_BIT BIT(7) + #define BME680_GAS_MEAS_BIT BIT(6) ++#define BME680_MEAS_BIT BIT(5) + + /* Calibration Parameters */ + #define BME680_T2_LSB_REG 0x8A +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -10,6 +10,7 @@ + */ + #include + #include ++#include + #include + #include + #include +@@ -532,6 +533,43 @@ static u8 bme680_oversampling_to_reg(u8 + return ilog2(val) + 1; + } + ++/* ++ * Taken from Bosch BME680 API: ++ * https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L490 ++ */ ++static int bme680_wait_for_eoc(struct bme680_data *data) ++{ ++ struct device *dev = regmap_get_device(data->regmap); ++ unsigned int check; ++ int ret; ++ /* ++ * (Sum of oversampling ratios * time per oversampling) + ++ * TPH measurement + gas measurement + wait transition from forced mode ++ * + heater duration ++ */ ++ int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press + ++ data->oversampling_humid) * 1936) + (477 * 4) + ++ (477 * 5) + 1000 + (data->heater_dur * 1000); ++ ++ usleep_range(wait_eoc_us, wait_eoc_us + 100); ++ ++ ret = regmap_read(data->regmap, BME680_REG_MEAS_STAT_0, &check); ++ if (ret) { ++ dev_err(dev, "failed to read measurement status register.\n"); ++ return ret; ++ } ++ if (check & BME680_MEAS_BIT) { ++ dev_err(dev, "Device measurement cycle incomplete.\n"); ++ return -EBUSY; ++ } ++ if (!(check & BME680_NEW_DATA_BIT)) { ++ dev_err(dev, "No new data available from the device.\n"); ++ return -ENODATA; ++ } ++ ++ return 0; ++} ++ + static int bme680_chip_config(struct bme680_data *data) + { + struct device *dev = regmap_get_device(data->regmap); +@@ -622,6 +660,10 @@ static int bme680_read_temp(struct bme68 + if (ret < 0) + return ret; + ++ ret = bme680_wait_for_eoc(data); ++ if (ret) ++ return ret; ++ + ret = regmap_bulk_read(data->regmap, BME680_REG_TEMP_MSB, + &tmp, 3); + if (ret < 0) { +@@ -738,6 +780,10 @@ static int bme680_read_gas(struct bme680 + if (ret < 0) + return ret; + ++ ret = bme680_wait_for_eoc(data); ++ if (ret) ++ return ret; ++ + ret = regmap_read(data->regmap, BME680_REG_MEAS_STAT_0, &check); + if (check & BME680_GAS_MEAS_BIT) { + dev_err(dev, "gas measurement incomplete\n"); diff --git a/queue-5.10/net-usb-ax88179_178a-improve-link-status-logs.patch b/queue-5.10/net-usb-ax88179_178a-improve-link-status-logs.patch new file mode 100644 index 00000000000..c9d688989dd --- /dev/null +++ b/queue-5.10/net-usb-ax88179_178a-improve-link-status-logs.patch @@ -0,0 +1,57 @@ +From 058722ee350c0bdd664e467156feb2bf5d9cc271 Mon Sep 17 00:00:00 2001 +From: Jose Ignacio Tornos Martinez +Date: Thu, 20 Jun 2024 15:34:31 +0200 +Subject: net: usb: ax88179_178a: improve link status logs + +From: Jose Ignacio Tornos Martinez + +commit 058722ee350c0bdd664e467156feb2bf5d9cc271 upstream. + +Avoid spurious link status logs that may ultimately be wrong; for example, +if the link is set to down with the cable plugged, then the cable is +unplugged and after this the link is set to up, the last new log that is +appearing is incorrectly telling that the link is up. + +In order to avoid errors, show link status logs after link_reset +processing, and in order to avoid spurious as much as possible, only show +the link loss when some link status change is detected. + +cc: stable@vger.kernel.org +Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Signed-off-by: Jose Ignacio Tornos Martinez +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88179_178a.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -346,7 +346,8 @@ static void ax88179_status(struct usbnet + + if (netif_carrier_ok(dev->net) != link) { + usbnet_link_change(dev, link, 1); +- netdev_info(dev->net, "ax88179 - Link status is: %d\n", link); ++ if (!link) ++ netdev_info(dev->net, "ax88179 - Link status is: 0\n"); + } + } + +@@ -1638,6 +1639,7 @@ static int ax88179_link_reset(struct usb + GMII_PHY_PHYSR, 2, &tmp16); + + if (!(tmp16 & GMII_PHY_PHYSR_LINK)) { ++ netdev_info(dev->net, "ax88179 - Link status is: 0\n"); + return 0; + } else if (GMII_PHY_PHYSR_GIGA == (tmp16 & GMII_PHY_PHYSR_SMASK)) { + mode |= AX_MEDIUM_GIGAMODE | AX_MEDIUM_EN_125MHZ; +@@ -1675,6 +1677,8 @@ static int ax88179_link_reset(struct usb + + netif_carrier_on(dev->net); + ++ netdev_info(dev->net, "ax88179 - Link status is: 1\n"); ++ + return 0; + } + diff --git a/queue-5.10/series b/queue-5.10/series index 16767785e72..2d85fab5474 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -298,3 +298,13 @@ mmc-sdhci-pci-convert-pcibios_-return-codes-to-errnos.patch mmc-sdhci-do-not-invert-write-protect-twice.patch mmc-sdhci-do-not-lock-spinlock-around-mmc_gpio_get_ro.patch counter-ti-eqep-enable-clock-at-probe.patch +iio-adc-ad7266-fix-variable-checking-bug.patch +iio-chemical-bme680-fix-pressure-value-output.patch +iio-chemical-bme680-fix-calibration-data-variable.patch +iio-chemical-bme680-fix-overflows-in-compensate-functions.patch +iio-chemical-bme680-fix-sensor-data-read-operation.patch +net-usb-ax88179_178a-improve-link-status-logs.patch +usb-gadget-printer-ss-support.patch +usb-gadget-printer-fix-races-against-disable.patch +usb-musb-da8xx-fix-a-resource-leak-in-probe.patch +usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch diff --git a/queue-5.10/usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch b/queue-5.10/usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch new file mode 100644 index 00000000000..b732974a38a --- /dev/null +++ b/queue-5.10/usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch @@ -0,0 +1,88 @@ +From 2eabb655a968b862bc0c31629a09f0fbf3c80d51 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Sun, 9 Jun 2024 06:15:46 -0700 +Subject: usb: atm: cxacru: fix endpoint checking in cxacru_bind() + +From: Nikita Zhandarovich + +commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 upstream. + +Syzbot is still reporting quite an old issue [1] that occurs due to +incomplete checking of present usb endpoints. As such, wrong +endpoints types may be used at urb sumbitting stage which in turn +triggers a warning in usb_submit_urb(). + +Fix the issue by verifying that required endpoint types are present +for both in and out endpoints, taking into account cmd endpoint type. + +Unfortunately, this patch has not been tested on real hardware. + +[1] Syzbot report: +usb 1-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 +Modules linked in: +CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 +... +Call Trace: + cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649 + cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760 + cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209 + usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055 + cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363 + usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:517 [inline] + really_probe+0x23c/0xcd0 drivers/base/dd.c:595 + __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 + driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 + __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 + bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 + __device_attach+0x228/0x4a0 drivers/base/dd.c:965 + bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 + device_add+0xc2f/0x2180 drivers/base/core.c:3354 + usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 + usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 + +Reported-and-tested-by: syzbot+00c18ee8497dd3be6ade@syzkaller.appspotmail.com +Fixes: 902ffc3c707c ("USB: cxacru: Use a bulk/int URB to access the command endpoint") +Cc: stable +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20240609131546.3932-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/atm/cxacru.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/atm/cxacru.c ++++ b/drivers/usb/atm/cxacru.c +@@ -1134,6 +1134,7 @@ static int cxacru_bind(struct usbatm_dat + struct cxacru_data *instance; + struct usb_device *usb_dev = interface_to_usbdev(intf); + struct usb_host_endpoint *cmd_ep = usb_dev->ep_in[CXACRU_EP_CMD]; ++ struct usb_endpoint_descriptor *in, *out; + int ret; + + /* instance init */ +@@ -1179,6 +1180,19 @@ static int cxacru_bind(struct usbatm_dat + ret = -ENODEV; + goto fail; + } ++ ++ if (usb_endpoint_xfer_int(&cmd_ep->desc)) ++ ret = usb_find_common_endpoints(intf->cur_altsetting, ++ NULL, NULL, &in, &out); ++ else ++ ret = usb_find_common_endpoints(intf->cur_altsetting, ++ &in, &out, NULL, NULL); ++ ++ if (ret) { ++ usb_err(usbatm_instance, "cxacru_bind: interface has incorrect endpoints\n"); ++ ret = -ENODEV; ++ goto fail; ++ } + + if ((cmd_ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) + == USB_ENDPOINT_XFER_INT) { diff --git a/queue-5.10/usb-gadget-printer-fix-races-against-disable.patch b/queue-5.10/usb-gadget-printer-fix-races-against-disable.patch new file mode 100644 index 00000000000..174e5048fa1 --- /dev/null +++ b/queue-5.10/usb-gadget-printer-fix-races-against-disable.patch @@ -0,0 +1,140 @@ +From e587a7633dfee8987a999cf253f7c52a8e09276c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 20 Jun 2024 13:40:26 +0200 +Subject: usb: gadget: printer: fix races against disable + +From: Oliver Neukum + +commit e587a7633dfee8987a999cf253f7c52a8e09276c upstream. + +printer_read() and printer_write() guard against the race +against disable() by checking the dev->interface flag, +which in turn is guarded by a spinlock. +These functions, however, drop the lock on multiple occasions. +This means that the test has to be redone after reacquiring +the lock and before doing IO. + +Add the tests. + +This also addresses CVE-2024-25741 + +Fixes: 7f2ca14d2f9b9 ("usb: gadget: function: printer: Interface is disabled and returns error") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20240620114039.5767-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_printer.c | 39 +++++++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -446,11 +446,8 @@ printer_read(struct file *fd, char __use + mutex_lock(&dev->lock_printer_io); + spin_lock_irqsave(&dev->lock, flags); + +- if (dev->interface < 0) { +- spin_unlock_irqrestore(&dev->lock, flags); +- mutex_unlock(&dev->lock_printer_io); +- return -ENODEV; +- } ++ if (dev->interface < 0) ++ goto out_disabled; + + /* We will use this flag later to check if a printer reset happened + * after we turn interrupts back on. +@@ -458,6 +455,9 @@ printer_read(struct file *fd, char __use + dev->reset_printer = 0; + + setup_rx_reqs(dev); ++ /* this dropped the lock - need to retest */ ++ if (dev->interface < 0) ++ goto out_disabled; + + bytes_copied = 0; + current_rx_req = dev->current_rx_req; +@@ -491,6 +491,8 @@ printer_read(struct file *fd, char __use + wait_event_interruptible(dev->rx_wait, + (likely(!list_empty(&dev->rx_buffers)))); + spin_lock_irqsave(&dev->lock, flags); ++ if (dev->interface < 0) ++ goto out_disabled; + } + + /* We have data to return then copy it to the caller's buffer.*/ +@@ -534,6 +536,9 @@ printer_read(struct file *fd, char __use + return -EAGAIN; + } + ++ if (dev->interface < 0) ++ goto out_disabled; ++ + /* If we not returning all the data left in this RX request + * buffer then adjust the amount of data left in the buffer. + * Othewise if we are done with this RX request buffer then +@@ -563,6 +568,11 @@ printer_read(struct file *fd, char __use + return bytes_copied; + else + return -EAGAIN; ++ ++out_disabled: ++ spin_unlock_irqrestore(&dev->lock, flags); ++ mutex_unlock(&dev->lock_printer_io); ++ return -ENODEV; + } + + static ssize_t +@@ -583,11 +593,8 @@ printer_write(struct file *fd, const cha + mutex_lock(&dev->lock_printer_io); + spin_lock_irqsave(&dev->lock, flags); + +- if (dev->interface < 0) { +- spin_unlock_irqrestore(&dev->lock, flags); +- mutex_unlock(&dev->lock_printer_io); +- return -ENODEV; +- } ++ if (dev->interface < 0) ++ goto out_disabled; + + /* Check if a printer reset happens while we have interrupts on */ + dev->reset_printer = 0; +@@ -610,6 +617,8 @@ printer_write(struct file *fd, const cha + wait_event_interruptible(dev->tx_wait, + (likely(!list_empty(&dev->tx_reqs)))); + spin_lock_irqsave(&dev->lock, flags); ++ if (dev->interface < 0) ++ goto out_disabled; + } + + while (likely(!list_empty(&dev->tx_reqs)) && len) { +@@ -659,6 +668,9 @@ printer_write(struct file *fd, const cha + return -EAGAIN; + } + ++ if (dev->interface < 0) ++ goto out_disabled; ++ + list_add(&req->list, &dev->tx_reqs_active); + + /* here, we unlock, and only unlock, to avoid deadlock. */ +@@ -672,6 +684,8 @@ printer_write(struct file *fd, const cha + mutex_unlock(&dev->lock_printer_io); + return -EAGAIN; + } ++ if (dev->interface < 0) ++ goto out_disabled; + } + + spin_unlock_irqrestore(&dev->lock, flags); +@@ -683,6 +697,11 @@ printer_write(struct file *fd, const cha + return bytes_copied; + else + return -EAGAIN; ++ ++out_disabled: ++ spin_unlock_irqrestore(&dev->lock, flags); ++ mutex_unlock(&dev->lock_printer_io); ++ return -ENODEV; + } + + static int diff --git a/queue-5.10/usb-gadget-printer-ss-support.patch b/queue-5.10/usb-gadget-printer-ss-support.patch new file mode 100644 index 00000000000..1d771e47d03 --- /dev/null +++ b/queue-5.10/usb-gadget-printer-ss-support.patch @@ -0,0 +1,30 @@ +From fd80731e5e9d1402cb2f85022a6abf9b1982ec5f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 20 Jun 2024 11:37:39 +0200 +Subject: usb: gadget: printer: SS+ support + +From: Oliver Neukum + +commit fd80731e5e9d1402cb2f85022a6abf9b1982ec5f upstream. + +We need to treat super speed plus as super speed, not the default, +which is full speed. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20240620093800.28901-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_printer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -208,6 +208,7 @@ static inline struct usb_endpoint_descri + struct usb_endpoint_descriptor *ss) + { + switch (gadget->speed) { ++ case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + return ss; + case USB_SPEED_HIGH: diff --git a/queue-5.10/usb-musb-da8xx-fix-a-resource-leak-in-probe.patch b/queue-5.10/usb-musb-da8xx-fix-a-resource-leak-in-probe.patch new file mode 100644 index 00000000000..bd63be2e00a --- /dev/null +++ b/queue-5.10/usb-musb-da8xx-fix-a-resource-leak-in-probe.patch @@ -0,0 +1,46 @@ +From de644a4a86be04ed8a43ef8267d0f7d021941c5e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 17 Jun 2024 12:31:30 +0300 +Subject: usb: musb: da8xx: fix a resource leak in probe() + +From: Dan Carpenter + +commit de644a4a86be04ed8a43ef8267d0f7d021941c5e upstream. + +Call usb_phy_generic_unregister() if of_platform_populate() fails. + +Fixes: d6299b6efbf6 ("usb: musb: Add support of CPPI 4.1 DMA controller to DA8xx") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/69af1b1d-d3f4-492b-bcea-359ca5949f30@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/da8xx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/musb/da8xx.c ++++ b/drivers/usb/musb/da8xx.c +@@ -556,7 +556,7 @@ static int da8xx_probe(struct platform_d + ret = of_platform_populate(pdev->dev.of_node, NULL, + da8xx_auxdata_lookup, &pdev->dev); + if (ret) +- return ret; ++ goto err_unregister_phy; + + memset(musb_resources, 0x00, sizeof(*musb_resources) * + ARRAY_SIZE(musb_resources)); +@@ -582,9 +582,13 @@ static int da8xx_probe(struct platform_d + ret = PTR_ERR_OR_ZERO(glue->musb); + if (ret) { + dev_err(&pdev->dev, "failed to register musb device: %d\n", ret); +- usb_phy_generic_unregister(glue->usb_phy); ++ goto err_unregister_phy; + } + ++ return 0; ++ ++err_unregister_phy: ++ usb_phy_generic_unregister(glue->usb_phy); + return ret; + } + -- 2.47.3