From abfa306bbaa73f9faa04ec70e16ac05d007e710e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 3 Sep 2019 20:43:19 +0200 Subject: [PATCH] 5.2-stable patches added patches: kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch mei-me-add-tiger-lake-point-lp-device-id.patch revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch usb-hcd-use-managed-device-resources.patch usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch usb-storage-add-new-jms567-revision-to-unusual_devs.patch usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch usb-storage-ums-realtek-whitelist-auto-delink-support.patch usbtmc-more-sanity-checking-for-packet-size.patch --- ...ential-deadlock-when-ap_list-is-long.patch | 44 ++++++ ...-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch | 97 +++++++++++++ ...t-to-user-translation-error-handling.patch | 61 ++++++++ ...me-add-tiger-lake-point-lp-device-id.patch | 43 ++++++ ...hci-tegra-drop-get_ro-implementation.patch | 79 +++++++++++ queue-5.2/series | 15 ++ ...-fix-caller-parameter-of-get_tdp_amd.patch | 35 +++++ ...ite-and-disconnect-due-to-flag-abuse.patch | 64 +++++++++ ...ardware-access-if-gadget-has-stopped.patch | 118 +++++++++++++++ ...usb-hcd-use-managed-device-resources.patch | 110 ++++++++++++++ ...e-condition-between-shutdown-and-irq.patch | 134 ++++++++++++++++++ ...x-typo-in-compatible-string-matching.patch | 35 +++++ ...-new-jms567-revision-to-unusual_devs.patch | 32 +++++ ...meter-description-for-auto_delink_en.patch | 35 +++++ ...ealtek-whitelist-auto-delink-support.patch | 52 +++++++ ...more-sanity-checking-for-packet-size.patch | 35 +++++ 16 files changed, 989 insertions(+) create mode 100644 queue-5.2/kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch create mode 100644 queue-5.2/kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch create mode 100644 queue-5.2/kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch create mode 100644 queue-5.2/mei-me-add-tiger-lake-point-lp-device-id.patch create mode 100644 queue-5.2/revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch create mode 100644 queue-5.2/tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch create mode 100644 queue-5.2/usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch create mode 100644 queue-5.2/usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch create mode 100644 queue-5.2/usb-hcd-use-managed-device-resources.patch create mode 100644 queue-5.2/usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch create mode 100644 queue-5.2/usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch create mode 100644 queue-5.2/usb-storage-add-new-jms567-revision-to-unusual_devs.patch create mode 100644 queue-5.2/usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch create mode 100644 queue-5.2/usb-storage-ums-realtek-whitelist-auto-delink-support.patch create mode 100644 queue-5.2/usbtmc-more-sanity-checking-for-packet-size.patch diff --git a/queue-5.2/kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch b/queue-5.2/kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch new file mode 100644 index 00000000000..7ea160fd42d --- /dev/null +++ b/queue-5.2/kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch @@ -0,0 +1,44 @@ +From d4a8061a7c5f7c27a2dc002ee4cb89b3e6637e44 Mon Sep 17 00:00:00 2001 +From: Heyi Guo +Date: Tue, 27 Aug 2019 12:26:50 +0100 +Subject: KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long + +From: Heyi Guo + +commit d4a8061a7c5f7c27a2dc002ee4cb89b3e6637e44 upstream. + +If the ap_list is longer than 256 entries, merge_final() in list_sort() +will call the comparison callback with the same element twice, causing +a deadlock in vgic_irq_cmp(). + +Fix it by returning early when irqa == irqb. + +Cc: stable@vger.kernel.org # 4.7+ +Fixes: 8e4447457965 ("KVM: arm/arm64: vgic-new: Add IRQ sorting") +Signed-off-by: Zenghui Yu +Signed-off-by: Heyi Guo +[maz: massaged commit log and patch, added Fixes and Cc-stable] +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic.c ++++ b/virt/kvm/arm/vgic/vgic.c +@@ -254,6 +254,13 @@ static int vgic_irq_cmp(void *priv, stru + bool penda, pendb; + int ret; + ++ /* ++ * list_sort may call this function with the same element when ++ * the list is fairly long. ++ */ ++ if (unlikely(irqa == irqb)) ++ return 0; ++ + raw_spin_lock(&irqa->irq_lock); + raw_spin_lock_nested(&irqb->irq_lock, SINGLE_DEPTH_NESTING); + diff --git a/queue-5.2/kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch b/queue-5.2/kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch new file mode 100644 index 00000000000..9f964ce82d7 --- /dev/null +++ b/queue-5.2/kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch @@ -0,0 +1,97 @@ +From 82e40f558de566fdee214bec68096bbd5e64a6a4 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 28 Aug 2019 11:10:16 +0100 +Subject: KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI + +From: Marc Zyngier + +commit 82e40f558de566fdee214bec68096bbd5e64a6a4 upstream. + +A guest is not allowed to inject a SGI (or clear its pending state) +by writing to GICD_ISPENDR0 (resp. GICD_ICPENDR0), as these bits are +defined as WI (as per ARM IHI 0048B 4.3.7 and 4.3.8). + +Make sure we correctly emulate the architecture. + +Fixes: 96b298000db4 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers") +Cc: stable@vger.kernel.org # 4.7+ +Reported-by: Andre Przywara +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-mmio.c | 18 ++++++++++++++++++ + virt/kvm/arm/vgic/vgic-v2.c | 5 ++++- + virt/kvm/arm/vgic/vgic-v3.c | 5 ++++- + 3 files changed, 26 insertions(+), 2 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-mmio.c ++++ b/virt/kvm/arm/vgic/vgic-mmio.c +@@ -195,6 +195,12 @@ static void vgic_hw_irq_spending(struct + vgic_irq_set_phys_active(irq, true); + } + ++static bool is_vgic_v2_sgi(struct kvm_vcpu *vcpu, struct vgic_irq *irq) ++{ ++ return (vgic_irq_is_sgi(irq->intid) && ++ vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V2); ++} ++ + void vgic_mmio_write_spending(struct kvm_vcpu *vcpu, + gpa_t addr, unsigned int len, + unsigned long val) +@@ -207,6 +213,12 @@ void vgic_mmio_write_spending(struct kvm + for_each_set_bit(i, &val, len * 8) { + struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i); + ++ /* GICD_ISPENDR0 SGI bits are WI */ ++ if (is_vgic_v2_sgi(vcpu, irq)) { ++ vgic_put_irq(vcpu->kvm, irq); ++ continue; ++ } ++ + raw_spin_lock_irqsave(&irq->irq_lock, flags); + if (irq->hw) + vgic_hw_irq_spending(vcpu, irq, is_uaccess); +@@ -254,6 +266,12 @@ void vgic_mmio_write_cpending(struct kvm + for_each_set_bit(i, &val, len * 8) { + struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i); + ++ /* GICD_ICPENDR0 SGI bits are WI */ ++ if (is_vgic_v2_sgi(vcpu, irq)) { ++ vgic_put_irq(vcpu->kvm, irq); ++ continue; ++ } ++ + raw_spin_lock_irqsave(&irq->irq_lock, flags); + + if (irq->hw) +--- a/virt/kvm/arm/vgic/vgic-v2.c ++++ b/virt/kvm/arm/vgic/vgic-v2.c +@@ -184,7 +184,10 @@ void vgic_v2_populate_lr(struct kvm_vcpu + if (vgic_irq_is_sgi(irq->intid)) { + u32 src = ffs(irq->source); + +- BUG_ON(!src); ++ if (WARN_RATELIMIT(!src, "No SGI source for INTID %d\n", ++ irq->intid)) ++ return; ++ + val |= (src - 1) << GICH_LR_PHYSID_CPUID_SHIFT; + irq->source &= ~(1 << (src - 1)); + if (irq->source) { +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -167,7 +167,10 @@ void vgic_v3_populate_lr(struct kvm_vcpu + model == KVM_DEV_TYPE_ARM_VGIC_V2) { + u32 src = ffs(irq->source); + +- BUG_ON(!src); ++ if (WARN_RATELIMIT(!src, "No SGI source for INTID %d\n", ++ irq->intid)) ++ return; ++ + val |= (src - 1) << GICH_LR_PHYSID_CPUID_SHIFT; + irq->source &= ~(1 << (src - 1)); + if (irq->source) { diff --git a/queue-5.2/kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch b/queue-5.2/kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch new file mode 100644 index 00000000000..d788f63a6b8 --- /dev/null +++ b/queue-5.2/kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch @@ -0,0 +1,61 @@ +From ddfd151f3def9258397fcde7a372205a2d661903 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Mon, 26 Aug 2019 14:55:20 +1000 +Subject: KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling + +From: Alexey Kardashevskiy + +commit ddfd151f3def9258397fcde7a372205a2d661903 upstream. + +H_PUT_TCE_INDIRECT handlers receive a page with up to 512 TCEs from +a guest. Although we verify correctness of TCEs before we do anything +with the existing tables, there is a small window when a check in +kvmppc_tce_validate might pass and right after that the guest alters +the page of TCEs, causing an early exit from the handler and leaving +srcu_read_lock(&vcpu->kvm->srcu) (virtual mode) or lock_rmap(rmap) +(real mode) locked. + +This fixes the bug by jumping to the common exit code with an appropriate +unlock. + +Cc: stable@vger.kernel.org # v4.11+ +Fixes: 121f80ba68f1 ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO") +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_64_vio.c | 6 ++++-- + arch/powerpc/kvm/book3s_64_vio_hv.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/kvm/book3s_64_vio.c ++++ b/arch/powerpc/kvm/book3s_64_vio.c +@@ -696,8 +696,10 @@ long kvmppc_h_put_tce_indirect(struct kv + } + tce = be64_to_cpu(tce); + +- if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua)) +- return H_PARAMETER; ++ if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua)) { ++ ret = H_PARAMETER; ++ goto unlock_exit; ++ } + + list_for_each_entry_lockless(stit, &stt->iommu_tables, next) { + ret = kvmppc_tce_iommu_map(vcpu->kvm, stt, +--- a/arch/powerpc/kvm/book3s_64_vio_hv.c ++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c +@@ -556,8 +556,10 @@ long kvmppc_rm_h_put_tce_indirect(struct + unsigned long tce = be64_to_cpu(((u64 *)tces)[i]); + + ua = 0; +- if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce, &ua, NULL)) +- return H_PARAMETER; ++ if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce, &ua, NULL)) { ++ ret = H_PARAMETER; ++ goto unlock_exit; ++ } + + list_for_each_entry_lockless(stit, &stt->iommu_tables, next) { + ret = kvmppc_rm_tce_iommu_map(vcpu->kvm, stt, diff --git a/queue-5.2/mei-me-add-tiger-lake-point-lp-device-id.patch b/queue-5.2/mei-me-add-tiger-lake-point-lp-device-id.patch new file mode 100644 index 00000000000..9fe36a9dc7a --- /dev/null +++ b/queue-5.2/mei-me-add-tiger-lake-point-lp-device-id.patch @@ -0,0 +1,43 @@ +From 587f17407741a5be07f8a2d1809ec946c8120962 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Mon, 19 Aug 2019 13:32:10 +0300 +Subject: mei: me: add Tiger Lake point LP device ID + +From: Tomas Winkler + +commit 587f17407741a5be07f8a2d1809ec946c8120962 upstream. + +Add Tiger Lake Point device ID for TGP LP. + +Signed-off-by: Tomas Winkler +Cc: stable +Link: https://lore.kernel.org/r/20190819103210.32748-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -81,6 +81,8 @@ + + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ + ++#define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */ ++ + #define MEI_DEV_ID_MCC 0x4B70 /* Mule Creek Canyon (EHL) */ + #define MEI_DEV_ID_MCC_4 0x4B75 /* Mule Creek Canyon 4 (EHL) */ + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -98,6 +98,8 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)}, ++ + {MEI_PCI_DEVICE(MEI_DEV_ID_MCC, MEI_ME_PCH12_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_MCC_4, MEI_ME_PCH8_CFG)}, + diff --git a/queue-5.2/revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch b/queue-5.2/revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch new file mode 100644 index 00000000000..8c25897465a --- /dev/null +++ b/queue-5.2/revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch @@ -0,0 +1,79 @@ +From 0f686ca933597cfcc0636253fc1740423c062ec7 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Fri, 9 Aug 2019 01:24:30 +0300 +Subject: Revert "mmc: sdhci-tegra: drop ->get_ro() implementation" + +From: Dmitry Osipenko + +commit 0f686ca933597cfcc0636253fc1740423c062ec7 upstream. + +The WRITE_PROTECT bit is always in a "protected mode" on Tegra and +WP-GPIO state need to be used instead. In a case of the GPIO absence, +write-enable should be assumed. External SD is writable once again as +a result of this patch because the offending commit changed behaviour for +the case of a missing WP-GPIO to fall back to WRITE_PROTECT bit-checking, +which is incorrect for Tegra. + +Cc: stable@vger.kernel.org # v5.1+ +Fixes: e8391453e27f ("mmc: sdhci-tegra: drop ->get_ro() implementation") +Signed-off-by: Dmitry Osipenko +Acked-by: Thierry Reding +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-tegra.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -258,6 +258,16 @@ static void tegra210_sdhci_writew(struct + } + } + ++static unsigned int tegra_sdhci_get_ro(struct sdhci_host *host) ++{ ++ /* ++ * Write-enable shall be assumed if GPIO is missing in a board's ++ * device-tree because SDHCI's WRITE_PROTECT bit doesn't work on ++ * Tegra. ++ */ ++ return mmc_gpio_get_ro(host->mmc); ++} ++ + static bool tegra_sdhci_is_pad_and_regulator_valid(struct sdhci_host *host) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); +@@ -1224,6 +1234,7 @@ static const struct cqhci_host_ops sdhci + }; + + static const struct sdhci_ops tegra_sdhci_ops = { ++ .get_ro = tegra_sdhci_get_ro, + .read_w = tegra_sdhci_readw, + .write_l = tegra_sdhci_writel, + .set_clock = tegra_sdhci_set_clock, +@@ -1279,6 +1290,7 @@ static const struct sdhci_tegra_soc_data + }; + + static const struct sdhci_ops tegra114_sdhci_ops = { ++ .get_ro = tegra_sdhci_get_ro, + .read_w = tegra_sdhci_readw, + .write_w = tegra_sdhci_writew, + .write_l = tegra_sdhci_writel, +@@ -1332,6 +1344,7 @@ static const struct sdhci_tegra_soc_data + }; + + static const struct sdhci_ops tegra210_sdhci_ops = { ++ .get_ro = tegra_sdhci_get_ro, + .read_w = tegra_sdhci_readw, + .write_w = tegra210_sdhci_writew, + .write_l = tegra_sdhci_writel, +@@ -1366,6 +1379,7 @@ static const struct sdhci_tegra_soc_data + }; + + static const struct sdhci_ops tegra186_sdhci_ops = { ++ .get_ro = tegra_sdhci_get_ro, + .read_w = tegra_sdhci_readw, + .write_l = tegra_sdhci_writel, + .set_clock = tegra_sdhci_set_clock, diff --git a/queue-5.2/series b/queue-5.2/series index ac939939479..906025c4f3b 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -75,3 +75,18 @@ hid-logitech-hidpp-remove-support-for-the-g700-over-.patch ftrace-fix-null-pointer-dereference-in-t_probe_next.patch ftrace-check-for-successful-allocation-of-hash.patch ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch +usbtmc-more-sanity-checking-for-packet-size.patch +usb-storage-add-new-jms567-revision-to-unusual_devs.patch +usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch +usb-hcd-use-managed-device-resources.patch +usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch +usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch +usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch +usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch +usb-storage-ums-realtek-whitelist-auto-delink-support.patch +tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch +kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch +kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch +kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch +mei-me-add-tiger-lake-point-lp-device-id.patch +revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch diff --git a/queue-5.2/tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch b/queue-5.2/tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch new file mode 100644 index 00000000000..9650cbc4ad9 --- /dev/null +++ b/queue-5.2/tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch @@ -0,0 +1,35 @@ +From 9cfa8e042f7cbb1994cc5923e46c78b36f6054f4 Mon Sep 17 00:00:00 2001 +From: Pu Wen +Date: Sat, 31 Aug 2019 10:19:58 +0800 +Subject: tools/power turbostat: Fix caller parameter of get_tdp_amd() + +From: Pu Wen + +commit 9cfa8e042f7cbb1994cc5923e46c78b36f6054f4 upstream. + +Commit 9392bd98bba760be96ee ("tools/power turbostat: Add support for AMD +Fam 17h (Zen) RAPL") add a function get_tdp_amd(), the parameter is CPU +family. But the rapl_probe_amd() function use wrong model parameter. +Fix the wrong caller parameter of get_tdp_amd() to use family. + +Cc: # v5.1+ +Signed-off-by: Pu Wen +Reviewed-by: Calvin Walton +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4002,7 +4002,7 @@ void rapl_probe_amd(unsigned int family, + rapl_energy_units = ldexp(1.0, -(msr >> 8 & 0x1f)); + rapl_power_units = ldexp(1.0, -(msr & 0xf)); + +- tdp = get_tdp_amd(model); ++ tdp = get_tdp_amd(family); + + rapl_joule_counter_range = 0xFFFFFFFF * rapl_energy_units / tdp; + if (!quiet) diff --git a/queue-5.2/usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch b/queue-5.2/usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch new file mode 100644 index 00000000000..ef2620ebd40 --- /dev/null +++ b/queue-5.2/usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch @@ -0,0 +1,64 @@ +From 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 27 Aug 2019 12:34:36 +0200 +Subject: USB: cdc-wdm: fix race between write and disconnect due to flag abuse + +From: Oliver Neukum + +commit 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e upstream. + +In case of a disconnect an ongoing flush() has to be made fail. +Nevertheless we cannot be sure that any pending URB has already +finished, so although they will never succeed, they still must +not be touched. +The clean solution for this is to check for WDM_IN_USE +and WDM_DISCONNECTED in flush(). There is no point in ever +clearing WDM_IN_USE, as no further writes make sense. + +The issue is as old as the driver. + +Fixes: afba937e540c9 ("USB: CDC WDM driver") +Reported-by: syzbot+d232cca6ec42c2edb3fc@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20190827103436.21143-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-wdm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -587,10 +587,20 @@ static int wdm_flush(struct file *file, + { + struct wdm_device *desc = file->private_data; + +- wait_event(desc->wait, !test_bit(WDM_IN_USE, &desc->flags)); ++ wait_event(desc->wait, ++ /* ++ * needs both flags. We cannot do with one ++ * because resetting it would cause a race ++ * with write() yet we need to signal ++ * a disconnect ++ */ ++ !test_bit(WDM_IN_USE, &desc->flags) || ++ test_bit(WDM_DISCONNECTING, &desc->flags)); + + /* cannot dereference desc->intf if WDM_DISCONNECTING */ +- if (desc->werr < 0 && !test_bit(WDM_DISCONNECTING, &desc->flags)) ++ if (test_bit(WDM_DISCONNECTING, &desc->flags)) ++ return -ENODEV; ++ if (desc->werr < 0) + dev_err(&desc->intf->dev, "Error in flush path: %d\n", + desc->werr); + +@@ -974,8 +984,6 @@ static void wdm_disconnect(struct usb_in + spin_lock_irqsave(&desc->iuspin, flags); + set_bit(WDM_DISCONNECTING, &desc->flags); + set_bit(WDM_READ, &desc->flags); +- /* to terminate pending flushes */ +- clear_bit(WDM_IN_USE, &desc->flags); + spin_unlock_irqrestore(&desc->iuspin, flags); + wake_up_all(&desc->wait); + mutex_lock(&desc->rlock); diff --git a/queue-5.2/usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch b/queue-5.2/usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch new file mode 100644 index 00000000000..48e1011e8b5 --- /dev/null +++ b/queue-5.2/usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch @@ -0,0 +1,118 @@ +From cbe85c88ce80fb92956a0793518d415864dcead8 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 20 Aug 2019 02:07:58 +0000 +Subject: usb: chipidea: udc: don't do hardware access if gadget has stopped + +From: Peter Chen + +commit cbe85c88ce80fb92956a0793518d415864dcead8 upstream. + +After _gadget_stop_activity is executed, we can consider the hardware +operation for gadget has finished, and the udc can be stopped and enter +low power mode. So, any later hardware operations (from usb_ep_ops APIs +or usb_gadget_ops APIs) should be considered invalid, any deinitializatons +has been covered at _gadget_stop_activity. + +I meet this problem when I plug out usb cable from PC using mass_storage +gadget, my callstack like: vbus interrupt->.vbus_session-> +composite_disconnect ->pm_runtime_put_sync(&_gadget->dev), +the composite_disconnect will call fsg_disable, but fsg_disable calls +usb_ep_disable using async way, there are register accesses for +usb_ep_disable. So sometimes, I get system hang due to visit register +without clock, sometimes not. + +The Linux Kernel USB maintainer Alan Stern suggests this kinds of solution. +See: http://marc.info/?l=linux-usb&m=138541769810983&w=2. + +Cc: #v4.9+ +Signed-off-by: Peter Chen +Link: https://lore.kernel.org/r/20190820020503.27080-2-peter.chen@nxp.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/udc.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -709,12 +709,6 @@ static int _gadget_stop_activity(struct + struct ci_hdrc *ci = container_of(gadget, struct ci_hdrc, gadget); + unsigned long flags; + +- spin_lock_irqsave(&ci->lock, flags); +- ci->gadget.speed = USB_SPEED_UNKNOWN; +- ci->remote_wakeup = 0; +- ci->suspended = 0; +- spin_unlock_irqrestore(&ci->lock, flags); +- + /* flush all endpoints */ + gadget_for_each_ep(ep, gadget) { + usb_ep_fifo_flush(ep); +@@ -732,6 +726,12 @@ static int _gadget_stop_activity(struct + ci->status = NULL; + } + ++ spin_lock_irqsave(&ci->lock, flags); ++ ci->gadget.speed = USB_SPEED_UNKNOWN; ++ ci->remote_wakeup = 0; ++ ci->suspended = 0; ++ spin_unlock_irqrestore(&ci->lock, flags); ++ + return 0; + } + +@@ -1303,6 +1303,10 @@ static int ep_disable(struct usb_ep *ep) + return -EBUSY; + + spin_lock_irqsave(hwep->lock, flags); ++ if (hwep->ci->gadget.speed == USB_SPEED_UNKNOWN) { ++ spin_unlock_irqrestore(hwep->lock, flags); ++ return 0; ++ } + + /* only internal SW should disable ctrl endpts */ + +@@ -1392,6 +1396,10 @@ static int ep_queue(struct usb_ep *ep, s + return -EINVAL; + + spin_lock_irqsave(hwep->lock, flags); ++ if (hwep->ci->gadget.speed == USB_SPEED_UNKNOWN) { ++ spin_unlock_irqrestore(hwep->lock, flags); ++ return 0; ++ } + retval = _ep_queue(ep, req, gfp_flags); + spin_unlock_irqrestore(hwep->lock, flags); + return retval; +@@ -1415,8 +1423,8 @@ static int ep_dequeue(struct usb_ep *ep, + return -EINVAL; + + spin_lock_irqsave(hwep->lock, flags); +- +- hw_ep_flush(hwep->ci, hwep->num, hwep->dir); ++ if (hwep->ci->gadget.speed != USB_SPEED_UNKNOWN) ++ hw_ep_flush(hwep->ci, hwep->num, hwep->dir); + + list_for_each_entry_safe(node, tmpnode, &hwreq->tds, td) { + dma_pool_free(hwep->td_pool, node->ptr, node->dma); +@@ -1487,6 +1495,10 @@ static void ep_fifo_flush(struct usb_ep + } + + spin_lock_irqsave(hwep->lock, flags); ++ if (hwep->ci->gadget.speed == USB_SPEED_UNKNOWN) { ++ spin_unlock_irqrestore(hwep->lock, flags); ++ return; ++ } + + hw_ep_flush(hwep->ci, hwep->num, hwep->dir); + +@@ -1559,6 +1571,10 @@ static int ci_udc_wakeup(struct usb_gadg + int ret = 0; + + spin_lock_irqsave(&ci->lock, flags); ++ if (ci->gadget.speed == USB_SPEED_UNKNOWN) { ++ spin_unlock_irqrestore(&ci->lock, flags); ++ return 0; ++ } + if (!ci->remote_wakeup) { + ret = -EOPNOTSUPP; + goto out; diff --git a/queue-5.2/usb-hcd-use-managed-device-resources.patch b/queue-5.2/usb-hcd-use-managed-device-resources.patch new file mode 100644 index 00000000000..250da393699 --- /dev/null +++ b/queue-5.2/usb-hcd-use-managed-device-resources.patch @@ -0,0 +1,110 @@ +From 76da906ad727048a74bb8067031ee99fc070c7da Mon Sep 17 00:00:00 2001 +From: "Schmid, Carsten" +Date: Fri, 23 Aug 2019 14:11:28 +0000 +Subject: usb: hcd: use managed device resources + +From: Schmid, Carsten + +commit 76da906ad727048a74bb8067031ee99fc070c7da upstream. + +Using managed device resources in usb_hcd_pci_probe() allows devm usage for +resource subranges, such as the mmio resource for the platform device +created to control host/device mode mux, which is a xhci extended +capability, and sits inside the xhci mmio region. + +If managed device resources are not used then "parent" resource +is released before subrange at driver removal as .remove callback is +called before the devres list of resources for this device is walked +and released. + +This has been observed with the xhci extended capability driver causing a +use-after-free which is now fixed. + +An additional nice benefit is that error handling on driver initialisation +is simplified much. + +Signed-off-by: Carsten Schmid +Tested-by: Carsten Schmid +Reviewed-by: Mathias Nyman +Fixes: fa31b3cb2ae1 ("xhci: Add Intel extended cap / otg phy mux handling") +Cc: # v4.19+ +Link: https://lore.kernel.org/r/1566569488679.31808@mentor.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd-pci.c | 30 ++++++++---------------------- + 1 file changed, 8 insertions(+), 22 deletions(-) + +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -216,17 +216,18 @@ int usb_hcd_pci_probe(struct pci_dev *de + /* EHCI, OHCI */ + hcd->rsrc_start = pci_resource_start(dev, 0); + hcd->rsrc_len = pci_resource_len(dev, 0); +- if (!request_mem_region(hcd->rsrc_start, hcd->rsrc_len, +- driver->description)) { ++ if (!devm_request_mem_region(&dev->dev, hcd->rsrc_start, ++ hcd->rsrc_len, driver->description)) { + dev_dbg(&dev->dev, "controller already in use\n"); + retval = -EBUSY; + goto put_hcd; + } +- hcd->regs = ioremap_nocache(hcd->rsrc_start, hcd->rsrc_len); ++ hcd->regs = devm_ioremap_nocache(&dev->dev, hcd->rsrc_start, ++ hcd->rsrc_len); + if (hcd->regs == NULL) { + dev_dbg(&dev->dev, "error mapping memory\n"); + retval = -EFAULT; +- goto release_mem_region; ++ goto put_hcd; + } + + } else { +@@ -240,8 +241,8 @@ int usb_hcd_pci_probe(struct pci_dev *de + + hcd->rsrc_start = pci_resource_start(dev, region); + hcd->rsrc_len = pci_resource_len(dev, region); +- if (request_region(hcd->rsrc_start, hcd->rsrc_len, +- driver->description)) ++ if (devm_request_region(&dev->dev, hcd->rsrc_start, ++ hcd->rsrc_len, driver->description)) + break; + } + if (region == PCI_ROM_RESOURCE) { +@@ -275,20 +276,13 @@ int usb_hcd_pci_probe(struct pci_dev *de + } + + if (retval != 0) +- goto unmap_registers; ++ goto put_hcd; + device_wakeup_enable(hcd->self.controller); + + if (pci_dev_run_wake(dev)) + pm_runtime_put_noidle(&dev->dev); + return retval; + +-unmap_registers: +- if (driver->flags & HCD_MEMORY) { +- iounmap(hcd->regs); +-release_mem_region: +- release_mem_region(hcd->rsrc_start, hcd->rsrc_len); +- } else +- release_region(hcd->rsrc_start, hcd->rsrc_len); + put_hcd: + usb_put_hcd(hcd); + disable_pci: +@@ -347,14 +341,6 @@ void usb_hcd_pci_remove(struct pci_dev * + dev_set_drvdata(&dev->dev, NULL); + up_read(&companions_rwsem); + } +- +- if (hcd->driver->flags & HCD_MEMORY) { +- iounmap(hcd->regs); +- release_mem_region(hcd->rsrc_start, hcd->rsrc_len); +- } else { +- release_region(hcd->rsrc_start, hcd->rsrc_len); +- } +- + usb_put_hcd(hcd); + pci_disable_device(dev); + } diff --git a/queue-5.2/usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch b/queue-5.2/usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch new file mode 100644 index 00000000000..9cf494f7922 --- /dev/null +++ b/queue-5.2/usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch @@ -0,0 +1,134 @@ +From a349b95d7ca0cea71be4a7dac29830703de7eb62 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 27 Aug 2019 12:51:50 +0900 +Subject: usb: host: ohci: fix a race condition between shutdown and irq + +From: Yoshihiro Shimoda + +commit a349b95d7ca0cea71be4a7dac29830703de7eb62 upstream. + +This patch fixes an issue that the following error is +possible to happen when ohci hardware causes an interruption +and the system is shutting down at the same time. + +[ 34.851754] usb 2-1: USB disconnect, device number 2 +[ 35.166658] irq 156: nobody cared (try booting with the "irqpoll" option) +[ 35.173445] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 5.3.0-rc5 #85 +[ 35.179964] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) +[ 35.187886] Workqueue: usb_hub_wq hub_event +[ 35.192063] Call trace: +[ 35.194509] dump_backtrace+0x0/0x150 +[ 35.198165] show_stack+0x14/0x20 +[ 35.201475] dump_stack+0xa0/0xc4 +[ 35.204785] __report_bad_irq+0x34/0xe8 +[ 35.208614] note_interrupt+0x2cc/0x318 +[ 35.212446] handle_irq_event_percpu+0x5c/0x88 +[ 35.216883] handle_irq_event+0x48/0x78 +[ 35.220712] handle_fasteoi_irq+0xb4/0x188 +[ 35.224802] generic_handle_irq+0x24/0x38 +[ 35.228804] __handle_domain_irq+0x5c/0xb0 +[ 35.232893] gic_handle_irq+0x58/0xa8 +[ 35.236548] el1_irq+0xb8/0x180 +[ 35.239681] __do_softirq+0x94/0x23c +[ 35.243253] irq_exit+0xd0/0xd8 +[ 35.246387] __handle_domain_irq+0x60/0xb0 +[ 35.250475] gic_handle_irq+0x58/0xa8 +[ 35.254130] el1_irq+0xb8/0x180 +[ 35.257268] kernfs_find_ns+0x5c/0x120 +[ 35.261010] kernfs_find_and_get_ns+0x3c/0x60 +[ 35.265361] sysfs_unmerge_group+0x20/0x68 +[ 35.269454] dpm_sysfs_remove+0x2c/0x68 +[ 35.273284] device_del+0x80/0x370 +[ 35.276683] hid_destroy_device+0x28/0x60 +[ 35.280686] usbhid_disconnect+0x4c/0x80 +[ 35.284602] usb_unbind_interface+0x6c/0x268 +[ 35.288867] device_release_driver_internal+0xe4/0x1b0 +[ 35.293998] device_release_driver+0x14/0x20 +[ 35.298261] bus_remove_device+0x110/0x128 +[ 35.302350] device_del+0x148/0x370 +[ 35.305832] usb_disable_device+0x8c/0x1d0 +[ 35.309921] usb_disconnect+0xc8/0x2d0 +[ 35.313663] hub_event+0x6e0/0x1128 +[ 35.317146] process_one_work+0x1e0/0x320 +[ 35.321148] worker_thread+0x40/0x450 +[ 35.324805] kthread+0x124/0x128 +[ 35.328027] ret_from_fork+0x10/0x18 +[ 35.331594] handlers: +[ 35.333862] [<0000000079300c1d>] usb_hcd_irq +[ 35.338126] [<0000000079300c1d>] usb_hcd_irq +[ 35.342389] Disabling IRQ #156 + +ohci_shutdown() disables all the interrupt and rh_state is set to +OHCI_RH_HALTED. In other hand, ohci_irq() is possible to enable +OHCI_INTR_SF and OHCI_INTR_MIE on ohci_irq(). Note that OHCI_INTR_SF +is possible to be set by start_ed_unlink() which is called: + ohci_irq() + -> process_done_list() + -> takeback_td() + -> start_ed_unlink() + +So, ohci_irq() has the following condition, the issue happens by +&ohci->regs->intrenable = OHCI_INTR_MIE | OHCI_INTR_SF and +ohci->rh_state = OHCI_RH_HALTED: + + /* interrupt for some other device? */ + if (ints == 0 || unlikely(ohci->rh_state == OHCI_RH_HALTED)) + return IRQ_NOTMINE; + +To fix the issue, ohci_shutdown() holds the spin lock while disabling +the interruption and changing the rh_state flag to prevent reenable +the OHCI_INTR_MIE unexpectedly. Note that io_watchdog_func() also +calls the ohci_shutdown() and it already held the spin lock, so that +the patch makes a new function as _ohci_shutdown(). + +This patch is inspired by a Renesas R-Car Gen3 BSP patch +from Tho Vu. + +Signed-off-by: Yoshihiro Shimoda +Cc: stable +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/1566877910-6020-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-hcd.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -418,8 +418,7 @@ static void ohci_usb_reset (struct ohci_ + * other cases where the next software may expect clean state from the + * "firmware". this is bus-neutral, unlike shutdown() methods. + */ +-static void +-ohci_shutdown (struct usb_hcd *hcd) ++static void _ohci_shutdown(struct usb_hcd *hcd) + { + struct ohci_hcd *ohci; + +@@ -435,6 +434,16 @@ ohci_shutdown (struct usb_hcd *hcd) + ohci->rh_state = OHCI_RH_HALTED; + } + ++static void ohci_shutdown(struct usb_hcd *hcd) ++{ ++ struct ohci_hcd *ohci = hcd_to_ohci(hcd); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&ohci->lock, flags); ++ _ohci_shutdown(hcd); ++ spin_unlock_irqrestore(&ohci->lock, flags); ++} ++ + /*-------------------------------------------------------------------------* + * HC functions + *-------------------------------------------------------------------------*/ +@@ -752,7 +761,7 @@ static void io_watchdog_func(struct time + died: + usb_hc_died(ohci_to_hcd(ohci)); + ohci_dump(ohci); +- ohci_shutdown(ohci_to_hcd(ohci)); ++ _ohci_shutdown(ohci_to_hcd(ohci)); + goto done; + } else { + /* No write back because the done queue was empty */ diff --git a/queue-5.2/usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch b/queue-5.2/usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch new file mode 100644 index 00000000000..710cbf64fef --- /dev/null +++ b/queue-5.2/usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch @@ -0,0 +1,35 @@ +From 636bd02a7ba9025ff851d0cfb92768c8fa865859 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 27 Aug 2019 14:51:12 +0200 +Subject: usb: host: xhci: rcar: Fix typo in compatible string matching + +From: Geert Uytterhoeven + +commit 636bd02a7ba9025ff851d0cfb92768c8fa865859 upstream. + +It's spelled "renesas", not "renensas". + +Due to this typo, RZ/G1M and RZ/G1N were not covered by the check. + +Fixes: 2dc240a3308b ("usb: host: xhci: rcar: retire use of xhci_plat_type_is()") +Signed-off-by: Geert Uytterhoeven +Cc: stable +Reviewed-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20190827125112.12192-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-rcar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-rcar.c ++++ b/drivers/usb/host/xhci-rcar.c +@@ -104,7 +104,7 @@ static int xhci_rcar_is_gen2(struct devi + return of_device_is_compatible(node, "renesas,xhci-r8a7790") || + of_device_is_compatible(node, "renesas,xhci-r8a7791") || + of_device_is_compatible(node, "renesas,xhci-r8a7793") || +- of_device_is_compatible(node, "renensas,rcar-gen2-xhci"); ++ of_device_is_compatible(node, "renesas,rcar-gen2-xhci"); + } + + static int xhci_rcar_is_gen3(struct device *dev) diff --git a/queue-5.2/usb-storage-add-new-jms567-revision-to-unusual_devs.patch b/queue-5.2/usb-storage-add-new-jms567-revision-to-unusual_devs.patch new file mode 100644 index 00000000000..574c4d51d72 --- /dev/null +++ b/queue-5.2/usb-storage-add-new-jms567-revision-to-unusual_devs.patch @@ -0,0 +1,32 @@ +From 08d676d1685c2a29e4d0e1b0242324e564d4589e Mon Sep 17 00:00:00 2001 +From: Henk van der Laan +Date: Fri, 16 Aug 2019 22:08:47 +0200 +Subject: usb-storage: Add new JMS567 revision to unusual_devs + +From: Henk van der Laan + +commit 08d676d1685c2a29e4d0e1b0242324e564d4589e upstream. + +Revision 0x0117 suffers from an identical issue to earlier revisions, +therefore it should be added to the quirks list. + +Signed-off-by: Henk van der Laan +Cc: stable +Link: https://lore.kernel.org/r/20190816200847.21366-1-opensource@henkvdlaan.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2100,7 +2100,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x + US_FL_IGNORE_RESIDUE ), + + /* Reported by Michael Büsch */ +-UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116, ++UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0117, + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, diff --git a/queue-5.2/usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch b/queue-5.2/usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch new file mode 100644 index 00000000000..3c8f9dfb5cd --- /dev/null +++ b/queue-5.2/usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch @@ -0,0 +1,35 @@ +From f6445b6b2f2bb1745080af4a0926049e8bca2617 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 28 Aug 2019 01:34:49 +0800 +Subject: USB: storage: ums-realtek: Update module parameter description for auto_delink_en + +From: Kai-Heng Feng + +commit f6445b6b2f2bb1745080af4a0926049e8bca2617 upstream. + +The option named "auto_delink_en" is a bit misleading, as setting it to +false doesn't really disable auto-delink but let auto-delink be firmware +controlled. + +Update the description to reflect the real usage of this parameter. + +Signed-off-by: Kai-Heng Feng +Cc: stable +Link: https://lore.kernel.org/r/20190827173450.13572-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/realtek_cr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -38,7 +38,7 @@ MODULE_LICENSE("GPL"); + + static int auto_delink_en = 1; + module_param(auto_delink_en, int, S_IRUGO | S_IWUSR); +-MODULE_PARM_DESC(auto_delink_en, "enable auto delink"); ++MODULE_PARM_DESC(auto_delink_en, "auto delink mode (0=firmware, 1=software [default])"); + + #ifdef CONFIG_REALTEK_AUTOPM + static int ss_en = 1; diff --git a/queue-5.2/usb-storage-ums-realtek-whitelist-auto-delink-support.patch b/queue-5.2/usb-storage-ums-realtek-whitelist-auto-delink-support.patch new file mode 100644 index 00000000000..0b6f3b371f6 --- /dev/null +++ b/queue-5.2/usb-storage-ums-realtek-whitelist-auto-delink-support.patch @@ -0,0 +1,52 @@ +From 1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 28 Aug 2019 01:34:50 +0800 +Subject: USB: storage: ums-realtek: Whitelist auto-delink support + +From: Kai-Heng Feng + +commit 1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54 upstream. + +Auto-delink requires writing special registers to ums-realtek devices. +Unconditionally enable auto-delink may break newer devices. + +So only enable auto-delink by default for the original three IDs, +0x0138, 0x0158 and 0x0159. + +Realtek is working on a patch to properly support auto-delink for other +IDs. + +BugLink: https://bugs.launchpad.net/bugs/1838886 +Signed-off-by: Kai-Heng Feng +Acked-by: Alan Stern +Cc: stable +Link: https://lore.kernel.org/r/20190827173450.13572-2-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/realtek_cr.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -996,12 +996,15 @@ static int init_realtek_cr(struct us_dat + goto INIT_FAIL; + } + +- if (CHECK_FW_VER(chip, 0x5888) || CHECK_FW_VER(chip, 0x5889) || +- CHECK_FW_VER(chip, 0x5901)) +- SET_AUTO_DELINK(chip); +- if (STATUS_LEN(chip) == 16) { +- if (SUPPORT_AUTO_DELINK(chip)) ++ if (CHECK_PID(chip, 0x0138) || CHECK_PID(chip, 0x0158) || ++ CHECK_PID(chip, 0x0159)) { ++ if (CHECK_FW_VER(chip, 0x5888) || CHECK_FW_VER(chip, 0x5889) || ++ CHECK_FW_VER(chip, 0x5901)) + SET_AUTO_DELINK(chip); ++ if (STATUS_LEN(chip) == 16) { ++ if (SUPPORT_AUTO_DELINK(chip)) ++ SET_AUTO_DELINK(chip); ++ } + } + #ifdef CONFIG_REALTEK_AUTOPM + if (ss_en) diff --git a/queue-5.2/usbtmc-more-sanity-checking-for-packet-size.patch b/queue-5.2/usbtmc-more-sanity-checking-for-packet-size.patch new file mode 100644 index 00000000000..a74c125a711 --- /dev/null +++ b/queue-5.2/usbtmc-more-sanity-checking-for-packet-size.patch @@ -0,0 +1,35 @@ +From de7b9aa633b693e77942e12f1769506efae6917b Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 20 Aug 2019 11:28:25 +0200 +Subject: usbtmc: more sanity checking for packet size + +From: Oliver Neukum + +commit de7b9aa633b693e77942e12f1769506efae6917b upstream. + +A malicious device can make the driver divide ny zero +with a nonsense maximum packet size. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20190820092826.17694-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usbtmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -2362,8 +2362,11 @@ static int usbtmc_probe(struct usb_inter + goto err_put; + } + ++ retcode = -EINVAL; + data->bulk_in = bulk_in->bEndpointAddress; + data->wMaxPacketSize = usb_endpoint_maxp(bulk_in); ++ if (!data->wMaxPacketSize) ++ goto err_put; + dev_dbg(&intf->dev, "Found bulk in endpoint at %u\n", data->bulk_in); + + data->bulk_out = bulk_out->bEndpointAddress; -- 2.47.3