From d6fd6114d9c827e4b2d715bd8ad94fb065db1d66 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 22 Mar 2021 10:00:31 +0100 Subject: [PATCH] 5.10-stable patches added patches: usb-dwc3-gadget-allow-runtime-suspend-if-udc-unbinded.patch usb-dwc3-gadget-prevent-ep-queuing-while-stopping-transfers.patch usb-gadget-configfs-fix-kasan-use-after-free.patch usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch --- queue-5.10/series | 7 ++ ...llow-runtime-suspend-if-udc-unbinded.patch | 59 ++++++++++++ ...-ep-queuing-while-stopping-transfers.patch | 92 ++++++++++++++++++ ...et-configfs-fix-kasan-use-after-free.patch | 83 +++++++++++++++++ ...-to-defeat-kindle-s-automatic-unload.patch | 93 +++++++++++++++++++ ...t-of-tps6598x_rx_identity_reg-struct.patch | 40 ++++++++ ...r_supply_changed-for-tcpm-source-psy.patch | 92 ++++++++++++++++++ ...t-double-assignment-to-udc-ud.tcp_rx.patch | 34 +++++++ 8 files changed, 500 insertions(+) create mode 100644 queue-5.10/usb-dwc3-gadget-allow-runtime-suspend-if-udc-unbinded.patch create mode 100644 queue-5.10/usb-dwc3-gadget-prevent-ep-queuing-while-stopping-transfers.patch create mode 100644 queue-5.10/usb-gadget-configfs-fix-kasan-use-after-free.patch create mode 100644 queue-5.10/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch create mode 100644 queue-5.10/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch create mode 100644 queue-5.10/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch create mode 100644 queue-5.10/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch diff --git a/queue-5.10/series b/queue-5.10/series index c79652a1c90..7460719e925 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -113,3 +113,10 @@ gfs2-add-common-helper-for-holding-and-releasing-the.patch gfs2-move-freeze-glock-outside-the-make_fs_rw-and-_r.patch gfs2-bypass-signal_our_withdraw-if-no-journal.patch powerpc-force-inlining-of-cpu_has_feature-to-avoid-build-failure.patch +usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch +usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch +usb-gadget-configfs-fix-kasan-use-after-free.patch +usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch +usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch +usb-dwc3-gadget-allow-runtime-suspend-if-udc-unbinded.patch +usb-dwc3-gadget-prevent-ep-queuing-while-stopping-transfers.patch diff --git a/queue-5.10/usb-dwc3-gadget-allow-runtime-suspend-if-udc-unbinded.patch b/queue-5.10/usb-dwc3-gadget-allow-runtime-suspend-if-udc-unbinded.patch new file mode 100644 index 00000000000..5f7dea0d1a9 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-allow-runtime-suspend-if-udc-unbinded.patch @@ -0,0 +1,59 @@ +From 77adb8bdf4227257e26b7ff67272678e66a0b250 Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Tue, 29 Dec 2020 15:05:35 -0800 +Subject: usb: dwc3: gadget: Allow runtime suspend if UDC unbinded + +From: Wesley Cheng + +commit 77adb8bdf4227257e26b7ff67272678e66a0b250 upstream. + +The DWC3 runtime suspend routine checks for the USB connected parameter to +determine if the controller can enter into a low power state. The +connected state is only set to false after receiving a disconnect event. +However, in the case of a device initiated disconnect (i.e. UDC unbind), +the controller is halted and a disconnect event is never generated. Set +the connected flag to false if issuing a device initiated disconnect to +allow the controller to be suspended. + +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/1609283136-22140-2-git-send-email-wcheng@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2126,6 +2126,17 @@ static int dwc3_gadget_pullup(struct usb + } + + /* ++ * Check the return value for successful resume, or error. For a ++ * successful resume, the DWC3 runtime PM resume routine will handle ++ * the run stop sequence, so avoid duplicate operations here. ++ */ ++ ret = pm_runtime_get_sync(dwc->dev); ++ if (!ret || ret < 0) { ++ pm_runtime_put(dwc->dev); ++ return 0; ++ } ++ ++ /* + * Synchronize any pending event handling before executing the controller + * halt routine. + */ +@@ -2163,12 +2174,14 @@ static int dwc3_gadget_pullup(struct usb + dwc->ev_buf->lpos = (dwc->ev_buf->lpos + count) % + dwc->ev_buf->length; + } ++ dwc->connected = false; + } else { + __dwc3_gadget_start(dwc); + } + + ret = dwc3_gadget_run_stop(dwc, is_on, false); + spin_unlock_irqrestore(&dwc->lock, flags); ++ pm_runtime_put(dwc->dev); + + return ret; + } diff --git a/queue-5.10/usb-dwc3-gadget-prevent-ep-queuing-while-stopping-transfers.patch b/queue-5.10/usb-dwc3-gadget-prevent-ep-queuing-while-stopping-transfers.patch new file mode 100644 index 00000000000..f5a7aa13ee4 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-prevent-ep-queuing-while-stopping-transfers.patch @@ -0,0 +1,92 @@ +From f09ddcfcb8c569675066337adac2ac205113471f Mon Sep 17 00:00:00 2001 +From: Wesley Cheng +Date: Thu, 11 Mar 2021 15:59:02 -0800 +Subject: usb: dwc3: gadget: Prevent EP queuing while stopping transfers + +From: Wesley Cheng + +commit f09ddcfcb8c569675066337adac2ac205113471f upstream. + +In the situations where the DWC3 gadget stops active transfers, once +calling the dwc3_gadget_giveback(), there is a chance where a function +driver can queue a new USB request in between the time where the dwc3 +lock has been released and re-aquired. This occurs after we've already +issued an ENDXFER command. When the stop active transfers continues +to remove USB requests from all dep lists, the newly added request will +also be removed, while controller still has an active TRB for it. +This can lead to the controller accessing an unmapped memory address. + +Fix this by ensuring parameters to prevent EP queuing are set before +calling the stop active transfers API. + +Fixes: ae7e86108b12 ("usb: dwc3: Stop active transfers before halting the controller") +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/1615507142-23097-1-git-send-email-wcheng@codeaurora.org +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -783,8 +783,6 @@ static int __dwc3_gadget_ep_disable(stru + + trace_dwc3_gadget_ep_disable(dep); + +- dwc3_remove_requests(dwc, dep); +- + /* make sure HW endpoint isn't stalled */ + if (dep->flags & DWC3_EP_STALL) + __dwc3_gadget_ep_set_halt(dep, 0, false); +@@ -803,6 +801,8 @@ static int __dwc3_gadget_ep_disable(stru + dep->endpoint.desc = NULL; + } + ++ dwc3_remove_requests(dwc, dep); ++ + return 0; + } + +@@ -1617,7 +1617,7 @@ static int __dwc3_gadget_ep_queue(struct + { + struct dwc3 *dwc = dep->dwc; + +- if (!dep->endpoint.desc || !dwc->pullups_connected) { ++ if (!dep->endpoint.desc || !dwc->pullups_connected || !dwc->connected) { + dev_err(dwc->dev, "%s: can't queue to disabled endpoint\n", + dep->name); + return -ESHUTDOWN; +@@ -2150,6 +2150,7 @@ static int dwc3_gadget_pullup(struct usb + if (!is_on) { + u32 count; + ++ dwc->connected = false; + /* + * In the Synopsis DesignWare Cores USB3 Databook Rev. 3.30a + * Section 4.1.8 Table 4-7, it states that for a device-initiated +@@ -2174,7 +2175,6 @@ static int dwc3_gadget_pullup(struct usb + dwc->ev_buf->lpos = (dwc->ev_buf->lpos + count) % + dwc->ev_buf->length; + } +- dwc->connected = false; + } else { + __dwc3_gadget_start(dwc); + } +@@ -3267,8 +3267,6 @@ static void dwc3_gadget_reset_interrupt( + { + u32 reg; + +- dwc->connected = true; +- + /* + * WORKAROUND: DWC3 revisions <1.88a have an issue which + * would cause a missing Disconnect Event if there's a +@@ -3308,6 +3306,7 @@ static void dwc3_gadget_reset_interrupt( + * transfers." + */ + dwc3_stop_active_transfers(dwc); ++ dwc->connected = true; + + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + reg &= ~DWC3_DCTL_TSTCTRL_MASK; diff --git a/queue-5.10/usb-gadget-configfs-fix-kasan-use-after-free.patch b/queue-5.10/usb-gadget-configfs-fix-kasan-use-after-free.patch new file mode 100644 index 00000000000..bfb3db1469e --- /dev/null +++ b/queue-5.10/usb-gadget-configfs-fix-kasan-use-after-free.patch @@ -0,0 +1,83 @@ +From 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 Mon Sep 17 00:00:00 2001 +From: Jim Lin +Date: Thu, 11 Mar 2021 14:42:41 +0800 +Subject: usb: gadget: configfs: Fix KASAN use-after-free + +From: Jim Lin + +commit 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 upstream. + +When gadget is disconnected, running sequence is like this. +. composite_disconnect +. Call trace: + usb_string_copy+0xd0/0x128 + gadget_config_name_configuration_store+0x4 + gadget_config_name_attr_store+0x40/0x50 + configfs_write_file+0x198/0x1f4 + vfs_write+0x100/0x220 + SyS_write+0x58/0xa8 +. configfs_composite_unbind +. configfs_composite_bind + +In configfs_composite_bind, it has +"cn->strings.s = cn->configuration;" + +When usb_string_copy is invoked. it would +allocate memory, copy input string, release previous pointed memory space, +and use new allocated memory. + +When gadget is connected, host sends down request to get information. +Call trace: + usb_gadget_get_string+0xec/0x168 + lookup_string+0x64/0x98 + composite_setup+0xa34/0x1ee8 + +If gadget is disconnected and connected quickly, in the failed case, +cn->configuration memory has been released by usb_string_copy kfree but +configfs_composite_bind hasn't been run in time to assign new allocated +"cn->configuration" pointer to "cn->strings.s". + +When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling +memory is accessed, "BUG: KASAN: use-after-free" error occurs. + +Cc: stable@vger.kernel.org +Signed-off-by: Jim Lin +Signed-off-by: Macpaul Lin +Link: https://lore.kernel.org/r/1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/configfs.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -97,6 +97,8 @@ struct gadget_config_name { + struct list_head list; + }; + ++#define USB_MAX_STRING_WITH_NULL_LEN (USB_MAX_STRING_LEN+1) ++ + static int usb_string_copy(const char *s, char **s_copy) + { + int ret; +@@ -106,12 +108,16 @@ static int usb_string_copy(const char *s + if (ret > USB_MAX_STRING_LEN) + return -EOVERFLOW; + +- str = kstrdup(s, GFP_KERNEL); +- if (!str) +- return -ENOMEM; ++ if (copy) { ++ str = copy; ++ } else { ++ str = kmalloc(USB_MAX_STRING_WITH_NULL_LEN, GFP_KERNEL); ++ if (!str) ++ return -ENOMEM; ++ } ++ strcpy(str, s); + if (str[ret - 1] == '\n') + str[ret - 1] = '\0'; +- kfree(copy); + *s_copy = str; + return 0; + } diff --git a/queue-5.10/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch b/queue-5.10/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch new file mode 100644 index 00000000000..6a75242dc7e --- /dev/null +++ b/queue-5.10/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch @@ -0,0 +1,93 @@ +From 546aa0e4ea6ed81b6c51baeebc4364542fa3f3a7 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 17 Mar 2021 15:06:54 -0400 +Subject: usb-storage: Add quirk to defeat Kindle's automatic unload + +From: Alan Stern + +commit 546aa0e4ea6ed81b6c51baeebc4364542fa3f3a7 upstream. + +Matthias reports that the Amazon Kindle automatically removes its +emulated media if it doesn't receive another SCSI command within about +one second after a SYNCHRONIZE CACHE. It does so even when the host +has sent a PREVENT MEDIUM REMOVAL command. The reason for this +behavior isn't clear, although it's not hard to make some guesses. + +At any rate, the results can be unexpected for anyone who tries to +access the Kindle in an unusual fashion, and in theory they can lead +to data loss (for example, if one file is closed and synchronized +while other files are still in the middle of being written). + +To avoid such problems, this patch creates a new usb-storage quirks +flag telling the driver always to issue a REQUEST SENSE following a +SYNCHRONIZE CACHE command, and adds an unusual_devs entry for the +Kindle with the flag set. This is sufficient to prevent the Kindle +from doing its automatic unload, without interfering with proper +operation. + +Another possible way to deal with this would be to increase the +frequency of TEST UNIT READY polling that the kernel normally carries +out for removable-media storage devices. However that would increase +the overall load on the system and it is not as reliable, because the +user can override the polling interval. Changing the driver's +behavior is safer and has minimal overhead. + +CC: +Reported-and-tested-by: Matthias Schwarzott +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/20210317190654.GA497856@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/transport.c | 7 +++++++ + drivers/usb/storage/unusual_devs.h | 12 ++++++++++++ + include/linux/usb_usual.h | 2 ++ + 3 files changed, 21 insertions(+) + +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -651,6 +651,13 @@ void usb_stor_invoke_transport(struct sc + need_auto_sense = 1; + } + ++ /* Some devices (Kindle) require another command after SYNC CACHE */ ++ if ((us->fflags & US_FL_SENSE_AFTER_SYNC) && ++ srb->cmnd[0] == SYNCHRONIZE_CACHE) { ++ usb_stor_dbg(us, "-- sense after SYNC CACHE\n"); ++ need_auto_sense = 1; ++ } ++ + /* + * If we have a failure, we're going to do a REQUEST_SENSE + * automatically. Note that we differentiate between a command +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2212,6 +2212,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0 + US_FL_NO_READ_DISC_INFO ), + + /* ++ * Reported by Matthias Schwarzott ++ * The Amazon Kindle treats SYNCHRONIZE CACHE as an indication that ++ * the host may be finished with it, and automatically ejects its ++ * emulated media unless it receives another command within one second. ++ */ ++UNUSUAL_DEV( 0x1949, 0x0004, 0x0000, 0x9999, ++ "Amazon", ++ "Kindle", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_SENSE_AFTER_SYNC ), ++ ++/* + * Reported by Oliver Neukum + * This device morphes spontaneously into another device if the access + * pattern of Windows isn't followed. Thus writable media would be dirty +--- a/include/linux/usb_usual.h ++++ b/include/linux/usb_usual.h +@@ -86,6 +86,8 @@ + /* lies about caching, so always sync */ \ + US_FLAG(NO_SAME, 0x40000000) \ + /* Cannot handle WRITE_SAME */ \ ++ US_FLAG(SENSE_AFTER_SYNC, 0x80000000) \ ++ /* Do REQUEST_SENSE after SYNCHRONIZE_CACHE */ \ + + #define US_FLAG(name, value) US_FL_##name = value , + enum { US_DO_ALL_FLAGS }; diff --git a/queue-5.10/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch b/queue-5.10/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch new file mode 100644 index 00000000000..f7c283023db --- /dev/null +++ b/queue-5.10/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch @@ -0,0 +1,40 @@ +From 3cac9104bea41099cf622091f0c0538bcb19050d Mon Sep 17 00:00:00 2001 +From: Elias Rudberg +Date: Thu, 11 Mar 2021 13:47:10 +0100 +Subject: usb: typec: Remove vdo[3] part of tps6598x_rx_identity_reg struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Elias Rudberg + +commit 3cac9104bea41099cf622091f0c0538bcb19050d upstream. + +Remove the unused "u32 vdo[3]" part in the tps6598x_rx_identity_reg +struct. This helps avoid "failed to register partner" errors which +happen when tps6598x_read_partner_identity() fails because the +amount of data read is 12 bytes smaller than the struct size. +Note that vdo[3] is already in usb_pd_identity and hence +shouldn't be added to tps6598x_rx_identity_reg as well. + +Fixes: f6c56ca91b92 ("usb: typec: Add the Product Type VDOs to struct usb_pd_identity") +Reviewed-by: Heikki Krogerus +Reviewed-by: Guido Günther +Signed-off-by: Elias Rudberg +Cc: stable +Link: https://lore.kernel.org/r/20210311124710.6563-1-mail@eliasrudberg.se +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tps6598x.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -62,7 +62,6 @@ enum { + struct tps6598x_rx_identity_reg { + u8 status; + struct usb_pd_identity identity; +- u32 vdo[3]; + } __packed; + + /* Standard Task return codes */ diff --git a/queue-5.10/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch b/queue-5.10/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch new file mode 100644 index 00000000000..5b1fe9810f9 --- /dev/null +++ b/queue-5.10/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch @@ -0,0 +1,92 @@ +From 86629e098a077922438efa98dc80917604dfd317 Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Wed, 17 Mar 2021 11:12:48 -0700 +Subject: usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- + +From: Badhri Jagan Sridharan + +commit 86629e098a077922438efa98dc80917604dfd317 upstream. + +tcpm-source-psy- does not invoke power_supply_changed API when +one of the published power supply properties is changed. +power_supply_changed needs to be called to notify +userspace clients(uevents) and kernel clients. + +Fixes: f2a8aa053c176 ("typec: tcpm: Represent source supply through power_supply") +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Signed-off-by: Badhri Jagan Sridharan +Cc: stable +Link: https://lore.kernel.org/r/20210317181249.1062995-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -785,6 +785,7 @@ static int tcpm_set_current_limit(struct + + port->supply_voltage = mv; + port->current_limit = max_ma; ++ power_supply_changed(port->psy); + + if (port->tcpc->set_current_limit) + ret = port->tcpc->set_current_limit(port->tcpc, max_ma, mv); +@@ -2300,6 +2301,7 @@ static int tcpm_pd_select_pdo(struct tcp + + port->pps_data.supported = false; + port->usb_type = POWER_SUPPLY_USB_TYPE_PD; ++ power_supply_changed(port->psy); + + /* + * Select the source PDO providing the most power which has a +@@ -2324,6 +2326,7 @@ static int tcpm_pd_select_pdo(struct tcp + port->pps_data.supported = true; + port->usb_type = + POWER_SUPPLY_USB_TYPE_PD_PPS; ++ power_supply_changed(port->psy); + } + continue; + default: +@@ -2481,6 +2484,7 @@ static unsigned int tcpm_pd_select_pps_a + port->pps_data.out_volt)); + port->pps_data.op_curr = min(port->pps_data.max_curr, + port->pps_data.op_curr); ++ power_supply_changed(port->psy); + } + + return src_pdo; +@@ -2716,6 +2720,7 @@ static int tcpm_set_charge(struct tcpm_p + return ret; + } + port->vbus_charge = charge; ++ power_supply_changed(port->psy); + return 0; + } + +@@ -2880,6 +2885,7 @@ static void tcpm_reset_port(struct tcpm_ + port->try_src_count = 0; + port->try_snk_count = 0; + port->usb_type = POWER_SUPPLY_USB_TYPE_C; ++ power_supply_changed(port->psy); + port->nr_sink_caps = 0; + port->sink_cap_done = false; + if (port->tcpc->enable_frs) +@@ -4982,7 +4988,7 @@ static int tcpm_psy_set_prop(struct powe + ret = -EINVAL; + break; + } +- ++ power_supply_changed(port->psy); + return ret; + } + +@@ -5134,6 +5140,7 @@ struct tcpm_port *tcpm_register_port(str + err = devm_tcpm_psy_register(port); + if (err) + goto out_role_sw_put; ++ power_supply_changed(port->psy); + + port->typec_port = typec_register_port(port->dev, &port->typec_caps); + if (IS_ERR(port->typec_port)) { diff --git a/queue-5.10/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch b/queue-5.10/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch new file mode 100644 index 00000000000..0d47e886d53 --- /dev/null +++ b/queue-5.10/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch @@ -0,0 +1,34 @@ +From 9858af27e69247c5d04c3b093190a93ca365f33d Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 11 Mar 2021 10:44:45 +0000 +Subject: usbip: Fix incorrect double assignment to udc->ud.tcp_rx + +From: Colin Ian King + +commit 9858af27e69247c5d04c3b093190a93ca365f33d upstream. + +Currently udc->ud.tcp_rx is being assigned twice, the second assignment +is incorrect, it should be to udc->ud.tcp_tx instead of rx. Fix this. + +Fixes: 46613c9dfa96 ("usbip: fix vudc usbip_sockfd_store races leading to gpf") +Acked-by: Shuah Khan +Signed-off-by: Colin Ian King +Cc: stable +Addresses-Coverity: ("Unused value") +Link: https://lore.kernel.org/r/20210311104445.7811-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vudc_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vudc_sysfs.c ++++ b/drivers/usb/usbip/vudc_sysfs.c +@@ -174,7 +174,7 @@ static ssize_t usbip_sockfd_store(struct + + udc->ud.tcp_socket = socket; + udc->ud.tcp_rx = tcp_rx; +- udc->ud.tcp_rx = tcp_tx; ++ udc->ud.tcp_tx = tcp_tx; + udc->ud.status = SDEV_ST_USED; + + spin_unlock_irq(&udc->ud.lock); -- 2.47.3