When using a GPIO which is high by default, and initialize the
driver in USB Hub mode, initialization fails with:
[ 111.757794] usb3503 0-0008: SP_ILOCK failed (-5)
The reason seems to be that the chip is not properly reset.
Probe does initialize reset low, however some lines later the
code already set it back high, which is not long enouth.
Make sure reset is asserted for at least 100us by inserting a
delay after initializing the reset pin during probe.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Here are a couple of new device ids for cp210x.
Both have been in linux-next with no reported issues.
Signed-off-by: Johan Hovold <johan@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCAAvFiEEHszNKQClByu0A+9RQQ3kT97htJUFAlpXgeMRHGpvaGFuQGtl
cm5lbC5vcmcACgkQQQ3kT97htJV7lRAAgiGwh7JL5cFKoxavlpdQJSMTDlJd+An/
6br/lsDetpS9aidR2bI7IW3xNcj9Mr/Yoi6i5cSpXFyjRprN1Ras/pkDDEpsMjuB
xrSPDHWHWkFvba/Z61FpNXSimFPRJcI4OPOkyBB1ZD2keuYjiHNChVSzeGaLFFCv
hNvEyysi/pxShHf2DvFPFPdB9Z61gnsheCkyzeBQe80AcrVvgvkwsR4d3Gvn1/sE
8eqvIKP8wTRY4b8GQAA1tym957aRdczfBK4RCrIgPkik/NmljF+dvQ6n021eJ0JG
Sq3LK69HonGiTeq/uWH24it0Pi1PIkBhozs4o/9f1Nl0fztoo833QGWvX32Xdpo5
XU98UWYr/IfltDcZGzvLJHsgqXHjom6pm+L0acd9FyfcKlvLRskLvv1qMbXp9eKj
HB1JY1lnAhh5Kip8Q8gOSBbFDOBQtp1nCfQrHP9ttcTuNovvS3aw2WGTS9lYEu4o
NgNfoRerFtX4kCFqo1e071Zr4CfKmadZTHJ0I+poIZzn3z4G6eNetSj4UNUpUGO3
fFXo5EfKjTCZtvWKGeTyatxZwawGfTJkxfRg813W1iQbB8LlbF0e5LsMSW71OPpS
VHuVQeKK/2HQMg00fwxNg+jytQFZJJPHSW1Vaavr9e0532TaSyBYPHHBD+6/9HWd
UTxxzEPdq3w=
=LzG1
-----END PGP SIGNATURE-----
Merge tag 'usb-serial-4.15-rc8' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
Johan writes:
USB-serial fixes for v4.15-rc8
Here are a couple of new device ids for cp210x.
Both have been in linux-next with no reported issues.
Signed-off-by: Johan Hovold <johan@kernel.org>
The UAS mode of Norelsys NS1068(X) is reported to fail to work on
several platforms with the following error message:
xhci-hcd xhci-hcd.0.auto: ERROR Transfer event for unknown stream ring slot 1 ep 8
xhci-hcd xhci-hcd.0.auto: @00000000bf04a400 00000000 00000000 1b000000 01098001
And when trying to mount a partition on the disk the disk will
disconnect from the USB controller, then after re-connecting the device
will be offlined and not working at all.
Falling back to USB mass storage can solve this problem, so ignore UAS
function of this chip.
Cc: stable@vger.kernel.org
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The error-handling pathways in usb_add_gadget_udc_release() are messed
up. Aside from the uninformative statement labels, they can deallocate
the udc structure after calling put_device(), which is a double-free.
This was observed by KASAN in automatic testing.
This patch cleans up the routine. It preserves the requirement that
when any failure occurs, we call put_device(&gadget->dev).
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
CC: <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Automated tests triggered this by opening usbmon and accessing the
mmap while simultaneously resizing the buffers. This bug was with
us since 2006, because typically applications only size the buffers
once and thus avoid racing. Reported by Kirill A. Shutemov.
Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
v_send_ret_submit() handles urb with a null transfer_buffer, when it
replays a packet with potential malicious data that could contain a
null buffer.
Add a check for the condition when actual_length > 0 and transfer_buffer
is null.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
Remove kernel addresses from usb device and urb debug msgs and improve
the message content.
Instead of printing parent device and bus addresses, print parent device
and bus names.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This adds the ELV ALC 8xxx Battery Charging device
to the list of USB IDs of drivers/usb/serial/cp210x.c
Signed-off-by: Christian Holl <cyborgx1@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Add IDs for the OneTouch Verio IQ that comes with an embedded
USB-to-serial converter.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
When plugging in a USB webcam I see the following message:
xhci_hcd 0000:04:00.0: WARN Successful completion on short TX: needs
XHCI_TRUST_TX_LENGTH quirk?
handle_tx_event: 913 callbacks suppressed
All is quiet again with this patch (and I've done a fair but of soak
testing with the camera since).
Cc: <stable@vger.kernel.org>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Trying to read from debugfs after the system has resumed from
hibernate causes a use-after-free and thus a protection fault.
Steps to reproduce:
Hibernate system, resume from hibernate, then run
$ cat /sys/kernel/debug/usb/xhci/*/command-ring/enqueue
[ 3902.765086] general protection fault: 0000 [#1] PREEMPT SMP
...
[ 3902.765136] RIP: 0010:xhci_trb_virt_to_dma.part.50+0x5/0x30
...
[ 3902.765178] Call Trace:
[ 3902.765188] xhci_ring_enqueue_show+0x1e/0x40
[ 3902.765197] seq_read+0xdb/0x3a0
[ 3902.765204] ? __handle_mm_fault+0x5fb/0x1210
[ 3902.765211] full_proxy_read+0x4a/0x70
[ 3902.765219] __vfs_read+0x23/0x120
[ 3902.765228] vfs_read+0x8e/0x130
[ 3902.765235] SyS_read+0x42/0x90
[ 3902.765242] do_syscall_64+0x6b/0x290
[ 3902.765251] entry_SYSCALL64_slow_path+0x25/0x25
The issue is caused by the xhci ring structures being reallocated
when the system is resumed, but pointers to the old structures
being retained in the debugfs files "private" field:
The proposed patch fixes this issue by storing a pointer to the xhci_ring
field in the xhci device structure in debugfs rather than directly
storing a pointer to the xhci_ring.
Fixes: 02b6fdc2a1 ("usb: xhci: Add debugfs interface for xHCI driver")
Signed-off-by: Alexander Kappner <agk@godking.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Free the virt_device and its debugfs_private member together.
When resuming from hibernate the .free_dev callback unconditionally
freed the debugfs_private member, but could leave virt_device intact.
This triggered a NULL pointer dereference after resume when usbmuxd
sent a USBDEVFS_SETCONFIGURATION ioctl to a device, trying to add a
endpoint debugfs entry to a already freed debugfs_private pointer.
Fixes: 02b6fdc2a1 ("usb: xhci: Add debugfs interface for xHCI driver")
Reported-by: Alexander Kappner <agk@godking.net>
Tested-by: Alexander Kappner <agk@godking.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Here are some new device ids for ftdi_sio, option and qcserial.
Note that the qcserial patch enables the SetControlLineState request
(used to raise DTR/RTS) for the GPS interface of all devices using the
Sierra Wireless layout. This was required for the Sierra Wireless EM7565
and has been tested using several other modems as well.
All but the final commit have been in linux-next without any reported
issues.
Signed-off-by: Johan Hovold <johan@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQJFBAABCAAvFiEEHszNKQClByu0A+9RQQ3kT97htJUFAlpDgQkRHGpvaGFuQGtl
cm5lbC5vcmcACgkQQQ3kT97htJX/dA/+I2Lv/PGv4i/KCIvtjVRUizokJSenEmqS
LfxolFzBt7wmPQxFMRpp63W1jZYwIkR4pSRNLUUOXI8sqmkmy2B9+G+6aL8s8IGZ
GjXH4OYlNlscaUzF81ObrNJSvcQ/OghjZqOyvxcaXVzXNtNn+1ewmqsFvDIemQot
wOcN59IPO7C7QFpxE1TwQtLbrjynl+BSa8AqQ+/Q/fRnKaISdjmm9BBL6dRANQ2r
W8C5qErmsWRRgWtK/8jSGsTrUgwxPYTaHk0x3SspEqyfGYEKl0y3ppceuphW53IC
8R9o8wV5kLBXe0fUZzO1eWCX3p3SdQqwwjj/Hgxg4/LLYLMvaKlG/z/xpD06TyWs
yn5d2By2PadLpTE67bimRReIqpNeGtyCecVQmAWeTiuECAFD827cdly5+MXgOh8q
Wq6axaeM7UhPl75EtThpTeRGXRojEWIpdLmRjxoqGi726XPoQJdwmo8+qgfpxwNl
lA0/lbKt7EHfG+zJL+1HrzljUcSmnP5I+dk3OebYeGF44EjnUDgupUYAT80224YZ
KtVb+jyEJKyLK+3TZG9TfL7hZwr9qDXUjoY6J8yla/NnJEOrnUs2wMGXc0ClaGVS
ZOEHgKMkNYWQeGbjKrvcB/W1jmnWYzZkrxhK8KvWwtSFapLcuKH/dGuGPP/1GU47
nSMhCGe9Pv0=
=Qx6D
-----END PGP SIGNATURE-----
Merge tag 'usb-serial-4.15-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
Johan writes
USB-serial fixes for v4.15-rc6
Here are some new device ids for ftdi_sio, option and qcserial.
Note that the qcserial patch enables the SetControlLineState request
(used to raise DTR/RTS) for the GPS interface of all devices using the
Sierra Wireless layout. This was required for the Sierra Wireless EM7565
and has been tested using several other modems as well.
All but the final commit have been in linux-next without any reported
issues.
Signed-off-by: Johan Hovold <johan@kernel.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJaONRxAAoJEEhZKYFQ1nG7eGsH/jW+VX14utmEXt3CHFkTAmL8
gDUM/74opMiZVLSDDV+J/CFcNASj9Qk5X39928Y69x731b82yIR56Fmi4WOGX4m5
YD6JaMfgx0sTT76c07SUJYVkJCfI41NwR/YSJH79Mghy3Osuv40koh+DPTGQhjPY
XjvfxIxwmsLvz7cMkTfIEOud4axaKpxvm/NOlwdCSrtGzp9G4GEcIpwz1MYpqaA/
Fnx60cqmiGG+vFuMjnwo+5bpSXpEWuIFfJujZwU0h7vLqqUMd8WwkHp92JnBr4+H
jwgIZfC2adK4iLd/VvprVle3k8TY1L6oI4EjD7l1+Kge1q94B/I7Ubd7gvy6XmA=
=2wh+
-----END PGP SIGNATURE-----
Merge tag 'usb-ci-v4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus
Peter writes:
One fix for ulpi-node lookup at msm glue driver
Commit e0429362ab
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.
There is one more model that has the same issue - C925e, so applying
the same quirk as well.
See aforementioned commit message for detailed explanation of the problem.
Signed-off-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This modem needs this quirk to operate. It produces timeouts when
resumed without reset.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip driver is leaking socket pointer address in messages. Remove
the messages that aren't useful and print sockfd in the ones that
are useful for debugging.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a
off by one in commit 81cf4a4536 ("USB: core: Add type-specific length
check of BOS descriptors")
It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes
the zero based SSAC as argument, not the actual count of sublink speed
attributes.
USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."
The type-specific length check patch was added to stable and needs to be
fixed there as well
Fixes: 81cf4a4536 ("USB: core: Add type-specific length check of BOS descriptors")
Cc: linux-stable <stable@vger.kernel.org>
CC: Masakazu Mokuno <masakazu.mokuno@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch adds support for PID 0x1101 of Telit ME910.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor. Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.
This patch prevents the problem by setting bNumInterfaces to 0
initially. The existing code already sets it to the proper value
after parsing is complete.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 32fd87b3bb.
Alan wrote a better fix for this...
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.
Note that the original premature free of the parent node has already
been fixed separately, but that fix was apparently never backported to
stable.
Fixes: 47654a1620 ("usb: chipidea: msm: Restore wrapper settings after reset")
Fixes: b74c43156c ("usb: chipidea: msm: ci_hdrc_msm_probe() missing of_node_get()")
Cc: stable <stable@vger.kernel.org> # 4.10: b74c43156c
Cc: Stephen Boyd <stephen.boyd@linaro.org>
Cc: Frank Rowand <frank.rowand@sony.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
When cleaning up the configurations, make sure we only free the number
of configurations and interfaces that we could have allocated.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We have a few fixes on dwc3:
- one fix which only happens with some implementations where we need to
wait longer for some commands to finish.
- Another fix for high-bandwidth isochronous endpoint programming making
sure that we send the correct DATA tokens in the correct sequence
- A couple PM fixes on dwc3-of-simple
The other synopsys controller driver (dwc2) got a fix for FIFO size
programming.
Other than these, we have a couple Kconfig fixes making sure that
dependencies are properly setup.
-----BEGIN PGP SIGNATURE-----
iQJRBAABCgA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAlovtj8dHGZlbGlwZS5i
YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQYkhg/+Js7q/csuLfknxIeU
0FT0exGWBr/XNWDwvckS65yR6zFgG6txRmuuHTq1BcqiOL6jpqV0D8VoAUt/rv1U
HrUPYMaS8Y5qpYZOe28NyyFgl+5CuoYdLkToAqUrX1MRXClt4Cx+XeJ6yOM6heXb
codXGef04oCTVYbDuPBbO1S99Pi1nw2T7jOLrhwegAGKEBMCzv+uT/qCR/uG5Fzr
5GHWWQyHLlo3Av29Rmp4GCFONlyxzGyKTKN+tFAVurGsO9UN8zY2BhfP6mH3kG64
dyef/hWJ4adhxnbTlrjrnZ52RBePhuUzqXDpKPrCYr9mlsI9NfPk6ablvHkF4W5K
bXqE8YTuiRdQIRS1+3LbK0BSsuC4svVD3QpN2fghPhkcxPg2FnR4eI3t5IupM6Hz
tqZvn4BU1UPdrRO3FBmyY/ZMTzsk5u4GB81FUUJRqQlg9cPTcjAWTmwox8fVzf6j
B2uC59qRn5KDMTKOyCU2CATo3Oi211WCWsUtnO7+mXxknyaWOjWI0MfV0fB3OLIj
IPm/PVfNcECjiOOpgyhSUY5YbIkQpD3/u9U8cuC+2Q2na7Cftsy/tJLrVlKgLXvQ
VgHoHGwSPkGdrClRp5mB0c5m2byPAE+BaOleSmeepiq2dDUvgr8hjgBURooKpC9j
mfNmZrsJgYXQIU9v6E0z92PH/+0=
=6T1G
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-v4.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
usb: fixes for v4.15-rc4
We have a few fixes on dwc3:
- one fix which only happens with some implementations where we need to
wait longer for some commands to finish.
- Another fix for high-bandwidth isochronous endpoint programming making
sure that we send the correct DATA tokens in the correct sequence
- A couple PM fixes on dwc3-of-simple
The other synopsys controller driver (dwc2) got a fix for FIFO size
programming.
Other than these, we have a couple Kconfig fixes making sure that
dependencies are properly setup.
This reverts commit 7a9618a22a.
Romain Izard recently reported that commit 7a9618a22a ended up
allowing every legacy gadget driver to statically linked to the
kernel, however that doesn't work, since only one legacy gadget can be
bound to a controller. Because of that, let's revert the original commit
and fix the problem.
Reported-by: Romain Izard <romain.izard.pro@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Configuring the USB_G_WEBCAM driver as built-in leads to a link
error when CONFIG_VIDEO_V4L2 is a loadable module:
drivers/usb/gadget/function/f_uvc.o: In function `uvc_function_setup':
f_uvc.c:(.text+0xfe): undefined reference to `v4l2_event_queue'
drivers/usb/gadget/function/f_uvc.o: In function `uvc_function_ep0_complete':
f_uvc.c:(.text+0x188): undefined reference to `v4l2_event_queue'
This changes the Kconfig dependency to disallow that configuration,
and force it to be a module in that case as well.
This is apparently a rather old bug, but very hard to trigger
even in thousands of randconfig builds.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
In host mode reading from DPTXSIZn returning invalid value in
dwc2_check_param_tx_fifo_sizes function.
In total TxFIFO size calculations unnecessarily reducing by ep_info.
hw->total_fifo_size can be fully allocated for FIFO's.
Added num_dev_in_eps member in dwc2_hw_params structure to save number
of IN EPs.
Added g_tx_fifo_size array in dwc2_hw_params structure to store power
on reset values of DPTXSIZn registers in forced device mode.
Updated dwc2_hsotg_tx_fifo_count() function to get TxFIFO count from
num_dev_in_eps.
Updated dwc2_get_dev_hwparams() function to store DPTXFSIZn in
g_tx_fifo_size array.
dwc2_get_host/dev_hwparams() functions call moved after num_dev_in_eps
set from hwcfg4.
Modified dwc2_check_param_tx_fifo_sizes() function to check TxFIFOn
sizes based on g_tx_fifo_size array.
Removed ep_info subtraction during calculation of tx_addr_max in
dwc2_hsotg_tx_fifo_total_depth() function. Also removed
dwc2_hsotg_ep_info_size() function as no more need.
Acked-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Gevorg Sahakyan <sahakyan@synopsys.com>
Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
For isochronous endpoints with ep->mult less than 3, PCM1 value of
trb->size in set incorrectly.
For ep->mult = 2, this is set to 0/-1 and for ep->mult = 1, this is
set to -2. This is because the initial mult is set to ep->mult - 1
instead of 2.
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
dwc3_of_simple_dev_pm_ops has never been used since the initial support
by commit 16adc674d0 ("usb: dwc3: add generic OF glue layer").
I guess it just missed to set .pm struct member.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
If of_clk_get() fails, the clean-up of already initialized clocks should be
the same as when clk_prepare_enable() fails. Thus a clk_disable_unprepare()
for each clock should be called before the clk_put().
Found by Linux Driver Verification project (linuxtesting.org).
Fixes: 16adc674d0 ("usb: dwc3: ep0: fix setup_packet_pending initialization")
Signed-off-by: Andreas Platschek <andreas.platschek@opentech.at>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
For MTK's xHCI 1.0 or latter, TD size is the number of max
packet sized packets remaining in the TD, not including
this TRB (following spec).
For MTK's xHCI 0.96 and older, TD size is the number of max
packet sized packets remaining in the TD, including this TRB
(not following spec).
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Avoid null pointer dereference if some function is walking through the
devs array accessing members of a new virt_dev that is mid allocation.
Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its
members are properly allocated.
issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port
"Quick analysis suggests that xhci_alloc_virt_device() is not mutex
protected. If so, there is a time frame where xhci->devs[slot_id] is set
but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL."
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
stub_send_ret_submit() handles urb with a potential null transfer_buffer,
when it replays a packet with potential malicious data that could contain
a null buffer. Add a check for the condition when actual_length > 0 and
transfer_buffer is null.
Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the
/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.
Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.
As this opens a security hole, the fix replaces socket pointer address with
sockfd.
Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.
Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
get_pipe() routine doesn't validate the input endpoint number
and uses to reference ep_in and ep_out arrays. Invalid endpoint
number can trigger BUG(). Range check the epnum and returning
error instead of calling BUG().
Change caller stub_recv_cmd_submit() to handle the get_pipe()
error return.
Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails
with the following error:
[sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[sda] tag#0 Sense Key : Illegal Request [current]
[sda] tag#0 Add. Sense: Invalid field in cdb
The issue occurs both with UAS (occasionally) and mass storage
(immediately after mounting a FS on a disk in the enclosure).
Enabling US_FL_BROKEN_FUA quirk solves this issue.
This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure
for both UAS and mass storage.
Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When babble condition happens, the musb controller might automatically
turns off VBUS. On DA8xx platform, the controller generates drvvbus
interrupt for turning off VBUS along with the babble interrupt.
In this case, we should handle the babble interrupt first and recover
from the babble condition.
This change ignores the drvvbus interrupt if babble interrupt is also
generated at the same time, so the babble recovery routine works
properly.
Cc: stable@vger.kernel.org # v3.16+
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xHC can generate two events for a short transfer if the short TRB and
last TRB in the TD are not the same TRB.
The driver will handle the TD after the first short event, and remove
it from its internal list. Driver then incorrectly prints a warning
for the second event:
"WARN Event TRB for slot x ep y with no TDs queued"
Fix this by not printing a warning if we get a event on a empty list
if the previous event was a short event.
Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The previous USB3 SuperSpeed enabling patches mistakenly enabled
URB scatter-gather chaining, which is actually not supported by
the VHCI HCD. This patch fixes that.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197867
Fixes: 03cd00d538 ("usbip: vhci-hcd: Set the vhci structure up to work")
Reported-by: Juan Zea <juan.zea@qindel.com>
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
After a long time, we finally have a good solution for how to handle
OS descriptor on FFS. From now on we will force the Reserved field to
be 1 as mandated by the specification.
Apart from that, we have a couple other smaller fixes:
- FFS learned to not sleep in atomic context.
- UDC-core has a fix for the way we set a UDC's operating speed.
- Renesas USB3 has a fix for the maximum number of pipes supported
- Allow legacy drivers to be compiled without USB_ETH
- Fix some coccinelle warnings
-----BEGIN PGP SIGNATURE-----
iQJRBAABCgA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAlof73odHGZlbGlwZS5i
YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQYceA//RG7Zr6FYZXlmjtQR
klW3em7lI7706Ha7Tn+wFb6eK6Hl0NgkpuGsaRyk+JD1XK2mC5AIWAkzMJY3P+5b
v1GDGS9AcZB5XA70wfe+o8USCF5C4YY/96zYIq4dpugKxMUuU0LnhAJMkZ34zsAD
6oH2Wxku+wClnciMthHCegNcu2WFHIO/ef7PsamK3JGdEUC6AoOolizowc7XPhvP
mc1Gc7MwsCkk0u1OPsAxKWZrokdrAjJPMTV79rSNnkE6FtTBtRckeuilq5yQ8aWY
M0rJ+cYZeR8JOADINxIBucQ4d5PDemGrq6JX5aats8RvS+7q9M6xqfBugRNA/GBN
RVut4GMuTvQQMTTLKN/MZKE2uGjIuncgOT6QmSrDqKzFg73fZAV4gh5rCvtNeccO
y0GBHU4F8zFLdLLqPAAGWsHq19ZEa+EIuRVhB7vPR02VtjZ0UZNXymKgwzVDKhuF
N5CHHJzqyypKqx2L2vyBkKakYb2KXZhWlNVuWaTiMCRe0SIQ/LqBjhzDK/rSHPZe
pEA37vYlCF0UWddqBrwA4wgnJhHdv980z4SroAFpTrV6dblLGA2nkwO2ZmaHuHBO
VSXIFLhvN1iyRrJ6cfoD5FAXliatxSwIz91HAplAzVP2W+dPUCd9qvgTyirS7BLi
dovO1gCgVzDnKr1tj01bdycy3Fo=
=hBSF
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-v4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
usb: fixes for v4.15-rc2
After a long time, we finally have a good solution for how to handle
OS descriptor on FFS. From now on we will force the Reserved field to
be 1 as mandated by the specification.
Apart from that, we have a couple other smaller fixes:
- FFS learned to not sleep in atomic context.
- UDC-core has a fix for the way we set a UDC's operating speed.
- Renesas USB3 has a fix for the maximum number of pipes supported
- Allow legacy drivers to be compiled without USB_ETH
- Fix some coccinelle warnings
Stefan Agner