1. 28 9月, 2017 11 次提交
  2. 25 9月, 2017 3 次提交
  3. 23 9月, 2017 4 次提交
    • A
      USB: g_mass_storage: Fix deadlock when driver is unbound · 1fbbb78f
      Alan Stern 提交于
      As a holdover from the old g_file_storage gadget, the g_mass_storage
      legacy gadget driver attempts to unregister itself when its main
      operating thread terminates (if it hasn't been unregistered already).
      This is not strictly necessary; it was never more than an attempt to
      have the gadget fail cleanly if something went wrong and the main
      thread was killed.
      
      However, now that the UDC core manages gadget drivers independently of
      UDC drivers, this scheme doesn't work any more.  A simple test:
      
      	modprobe dummy-hcd
      	modprobe g-mass-storage file=...
      	rmmod dummy-hcd
      
      ends up in a deadlock with the following backtrace:
      
       sysrq: SysRq : Show Blocked State
         task                PC stack   pid father
       file-storage    D    0  1130      2 0x00000000
       Call Trace:
        __schedule+0x53e/0x58c
        schedule+0x6e/0x77
        schedule_preempt_disabled+0xd/0xf
        __mutex_lock.isra.1+0x129/0x224
        ? _raw_spin_unlock_irqrestore+0x12/0x14
        __mutex_lock_slowpath+0x12/0x14
        mutex_lock+0x28/0x2b
        usb_gadget_unregister_driver+0x29/0x9b [udc_core]
        usb_composite_unregister+0x10/0x12 [libcomposite]
        msg_cleanup+0x1d/0x20 [g_mass_storage]
        msg_thread_exits+0xd/0xdd7 [g_mass_storage]
        fsg_main_thread+0x1395/0x13d6 [usb_f_mass_storage]
        ? __schedule+0x573/0x58c
        kthread+0xd9/0xdb
        ? do_set_interface+0x25c/0x25c [usb_f_mass_storage]
        ? init_completion+0x1e/0x1e
        ret_from_fork+0x19/0x24
       rmmod           D    0  1155    683 0x00000000
       Call Trace:
        __schedule+0x53e/0x58c
        schedule+0x6e/0x77
        schedule_timeout+0x26/0xbc
        ? __schedule+0x573/0x58c
        do_wait_for_common+0xb3/0x128
        ? usleep_range+0x81/0x81
        ? wake_up_q+0x3f/0x3f
        wait_for_common+0x2e/0x45
        wait_for_completion+0x17/0x19
        fsg_common_put+0x34/0x81 [usb_f_mass_storage]
        fsg_free_inst+0x13/0x1e [usb_f_mass_storage]
        usb_put_function_instance+0x1a/0x25 [libcomposite]
        msg_unbind+0x2a/0x42 [g_mass_storage]
        __composite_unbind+0x4a/0x6f [libcomposite]
        composite_unbind+0x12/0x14 [libcomposite]
        usb_gadget_remove_driver+0x4f/0x77 [udc_core]
        usb_del_gadget_udc+0x52/0xcc [udc_core]
        dummy_udc_remove+0x27/0x2c [dummy_hcd]
        platform_drv_remove+0x1d/0x31
        device_release_driver_internal+0xe9/0x16d
        device_release_driver+0x11/0x13
        bus_remove_device+0xd2/0xe2
        device_del+0x19f/0x221
        ? selinux_capable+0x22/0x27
        platform_device_del+0x21/0x63
        platform_device_unregister+0x10/0x1a
        cleanup+0x20/0x817 [dummy_hcd]
        SyS_delete_module+0x10c/0x197
        ? ____fput+0xd/0xf
        ? task_work_run+0x55/0x62
        ? prepare_exit_to_usermode+0x65/0x75
        do_fast_syscall_32+0x86/0xc3
        entry_SYSENTER_32+0x4e/0x7c
      
      What happens is that removing the dummy-hcd driver causes the UDC core
      to unbind the gadget driver, which it does while holding the udc_lock
      mutex.  The unbind routine in g_mass_storage tells the main thread to
      exit and waits for it to terminate.
      
      But as mentioned above, when the main thread exits it tries to
      unregister the mass-storage function driver.  Via the composite
      framework this ends up calling usb_gadget_unregister_driver(), which
      tries to acquire the udc_lock mutex.  The result is deadlock.
      
      The simplest way to fix the problem is not to be so clever: The main
      thread doesn't have to unregister the function driver.  The side
      effects won't be so terrible; if the gadget is still attached to a USB
      host when the main thread is killed, it will appear to the host as
      though the gadget's firmware has crashed -- a reasonably accurate
      interpretation, and an all-too-common occurrence for USB mass-storage
      devices.
      
      In fact, the code to unregister the driver when the main thread exits
      is specific to g-mass-storage; it is not used when f-mass-storage is
      included as a function in a larger composite device.  Therefore the
      entire mechanism responsible for this (the fsg_operations structure
      with its ->thread_exits method, the fsg_common_set_ops() routine, and
      the msg_thread_exits() callback routine) can all be eliminated.  Even
      the msg_registered bitflag can be removed, because now the driver is
      unregistered in only one place rather than in two places.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Acked-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Acked-by: NMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fbbb78f
    • A
      USB: gadgetfs: Fix crash caused by inadequate synchronization · 520b72fc
      Alan Stern 提交于
      The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written
      before the UDC and composite frameworks were adopted; it is a legacy
      driver.  As such, it expects that once bound to a UDC controller, it
      will not be unbound until it unregisters itself.
      
      However, the UDC framework does unbind function drivers while they are
      still registered.  When this happens, it can cause the gadgetfs driver
      to misbehave or crash.  For example, userspace can cause a crash by
      opening the device file and doing an ioctl call before setting up a
      configuration (found by Andrey Konovalov using the syzkaller fuzzer).
      
      This patch adds checks and synchronization to prevent these bad
      behaviors.  It adds a udc_usage counter that the driver increments at
      times when it is using a gadget interface without holding the private
      spinlock.  The unbind routine waits for this counter to go to 0 before
      returning, thereby ensuring that the UDC is no longer in use.
      
      The patch also adds a check in the dev_ioctl() routine to make sure
      the driver is bound to a UDC before dereferencing the gadget pointer,
      and it makes destroy_ep_files() synchronize with the endpoint I/O
      routines, to prevent the user from accessing an endpoint data
      structure after it has been removed.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Acked-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      520b72fc
    • A
      USB: gadgetfs: fix copy_to_user while holding spinlock · 6e76c01e
      Alan Stern 提交于
      The gadgetfs driver as a long-outstanding FIXME, regarding a call of
      copy_to_user() made while holding a spinlock.  This patch fixes the
      issue by dropping the spinlock and using the dev->udc_usage mechanism
      introduced by another recent patch to guard against status changes
      while the lock isn't held.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      CC: <stable@vger.kernel.org>
      Acked-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e76c01e
    • A
      USB: uas: fix bug in handling of alternate settings · 786de92b
      Alan Stern 提交于
      The uas driver has a subtle bug in the way it handles alternate
      settings.  The uas_find_uas_alt_setting() routine returns an
      altsetting value (the bAlternateSetting number in the descriptor), but
      uas_use_uas_driver() then treats that value as an index to the
      intf->altsetting array, which it isn't.
      
      Normally this doesn't cause any problems because the various
      alternate settings have bAlternateSetting values 0, 1, 2, ..., so the
      value is equal to the index in the array.  But this is not guaranteed,
      and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a
      slab-out-of-bounds error by violating this assumption.
      
      This patch fixes the bug by making uas_find_uas_alt_setting() return a
      pointer to the altsetting entry rather than either the value or the
      index.  Pointers are less subject to misinterpretation.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      CC: Oliver Neukum <oneukum@suse.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      786de92b
  4. 22 9月, 2017 2 次提交
    • A
      usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives · 113f6eb6
      Alan Stern 提交于
      Kris Lindgren reports that without the NO_WP_DETECT flag, his Seagate
      external disk drive fails all write accesses.  This regresssion dates
      back approximately to the start of the 4.x kernel releases.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NKris Lindgren <kris.lindgren@gmail.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      113f6eb6
    • A
      usb-storage: fix bogus hardware error messages for ATA pass-thru devices · a4fd4a72
      Alan Stern 提交于
      Ever since commit a621bac3 ("scsi_lib: correctly retry failed zero
      length REQ_TYPE_FS commands"), people have been getting bogus error
      messages for USB disk drives using ATA pass-thru.  For example:
      
      [ 1344.880193] sd 6:0:0:0: [sdb] Attached SCSI disk
      [ 1345.069152] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
      [ 1345.069159] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
      [ 1345.069162] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
      [ 1345.069168] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(16) 85 06 20 00 00 00 00 00 00 00 00 00 00 00 e5 00
      [ 1345.172252] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
      [ 1345.172258] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
      [ 1345.172261] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
      [ 1345.172266] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(12)/Blank a1 06 20 da 00 00 4f c2 00 b0 00 00
      
      These messages can be quite annoying, because programs like udisks2
      provoke them every 10 minutes or so.  Other programs can also have
      this effect, such as those in smartmontools.
      
      I don't fully understand how that commit induced the SCSI core to log
      these error messages, but the underlying cause for them is code added
      to usb-storage by commit f1a0743b ("USB: storage: When a device
      returns no sense data, call it a Hardware Error").  At the time it was
      necessary to do this, in order to prevent an infinite retry loop with
      some not-so-great mass storage devices.
      
      However, the ATA pass-thru protocol uses SCSI sense data to return
      command status values, and some devices always report Check Condition
      status for ATA pass-thru commands to ensure that the host retrieves
      the sense data, even if the command succeeded.  This violates the USB
      mass-storage protocol (Check Condition status is supposed to mean the
      command failed), but we can't help that.
      
      This patch attempts to mitigate the problem of these bogus error
      reports by changing usb-storage.  The HARDWARE ERROR sense key will be
      inserted only for commands that aren't ATA pass-thru.
      
      Thanks to Ewan Milne for pointing out that this mechanism was present
      in usb-storage.  8 years after writing it, I had completely forgotten
      its existence.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Tested-by: NKris Lindgren <kris.lindgren@gmail.com>
      Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1351305
      CC: Ewan D. Milne <emilne@redhat.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4fd4a72
  5. 21 9月, 2017 2 次提交
  6. 20 9月, 2017 4 次提交
    • A
      usb: gadget: dummy: fix nonsensical comparisons · 7661ca09
      Arnd Bergmann 提交于
      gcc-8 points out two comparisons that are clearly bogus
      and almost certainly not what the author intended to write:
      
      drivers/usb/gadget/udc/dummy_hcd.c: In function 'set_link_state_by_speed':
      drivers/usb/gadget/udc/dummy_hcd.c:379:31: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
               USB_PORT_STAT_ENABLE) == 1 &&
                                     ^~
      drivers/usb/gadget/udc/dummy_hcd.c:381:25: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
            USB_SS_PORT_LS_U0) == 1 &&
                               ^~
      
      I looked at the code for a bit and came up with a change that makes
      it look like what the author probably meant here. This makes it
      look reasonable to me and to gcc, shutting up the warning.
      
      It does of course change behavior as the two conditions are actually
      evaluated rather than being hardcoded to false, and I have made no
      attempt at verifying that the changed logic makes sense in the context
      of a USB HCD, so that part needs to be reviewed carefully.
      
      Fixes: 1cd8fd28 ("usb: gadget: dummy_hcd: add SuperSpeed support")
      Cc: Tatyana Brokhman <tlinder@codeaurora.org>
      Cc: Felipe Balbi <balbi@kernel.org>
      Acked-by: NAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      7661ca09
    • R
      usb: gadget: udc: fix snps_udc_plat.c build errors · 641663a1
      Randy Dunlap 提交于
      Fix build errors that happen when CONFIG_EXTCON=m and
      CONFIG_USB_SNP_UDC_PLAT=y by preventing that combination in Kconfig.
      CONFIG_EXTCON can still be disabled or enabled for this driver since
      <linux/extcon.h> has stubs for the disabled case, but if CONFIG_EXTCON=m,
      USB_SNP_UDC_PLAT is restricted to m or n (cannot be builtin).
      
      drivers/built-in.o: In function `udc_plat_remove':
      snps_udc_plat.c:(.text+0x2c4060): undefined reference to `extcon_unregister_notifier'
      drivers/built-in.o: In function `udc_plat_probe':
      snps_udc_plat.c:(.text+0x2c438c): undefined reference to `extcon_get_edev_by_phandle'
      snps_udc_plat.c:(.text+0x2c43f2): undefined reference to `extcon_register_notifier'
      snps_udc_plat.c:(.text+0x2c4416): undefined reference to `extcon_get_state'
      snps_udc_plat.c:(.text+0x2c44f7): undefined reference to `extcon_unregister_notifier'
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      641663a1
    • Y
      usb: gadget: function: printer: avoid spinlock recursion · 9ada8c58
      Yoshihiro Shimoda 提交于
      If usb_gadget_giveback_request() is called in usb_ep_queue(),
      this printer_write() is possible to cause spinlock recursion. So,
      this patch adds spin_unlock() before calls usb_ep_queue() to avoid it.
      Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      9ada8c58
    • R
      usb: gadget: core: fix ->udc_set_speed() logic · 97e133d5
      Roger Quadros 提交于
      Consider the following case: udc controller supports SuperSpeed.  If we
      first load a HighSpeed gadget followed by a SuperSpeed gadget, the
      SuperSpeed gadget will be limited to HighSpeed as UDC core driver
      doesn't call ->udc_set_speed() in the second case.
      
      Call ->udc_set_speed() unconditionally to fix this issue.
      
      This will also fix the case for dwc3 controller driver when SuperSpeed
      gadget is loaded first and works in HighSpeed only as udc_set_speed()
      was never being called.
      
      Fixes: 6099eca796ae ("usb: gadget: core: introduce ->udc_set_speed() method")
      Cc: <stable@vger.kernel.org> [v4.13+]
      Signed-off-by: NRoger Quadros <rogerq@ti.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      97e133d5
  7. 19 9月, 2017 1 次提交
  8. 18 9月, 2017 12 次提交
    • K
      Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" · bcd6a7aa
      Kai-Heng Feng 提交于
      This reverts commit dec08194.
      
      Commit dec08194 ("xhci: Limit USB2 port wake support for AMD Promontory
      hosts") makes all high speed USB ports on ASUS PRIME B350M-A cease to
      function after enabling runtime PM.
      
      All boards with this chipsets will be affected, so revert the commit.
      
      The original patch was added to stable 4.9, 4.11 and 4.12 and needs
      to reverted from there as well
      
      Cc: <stable@vger.kernel.org> # 4.9+
      Signed-off-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcd6a7aa
    • M
      xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor · 7bea22b1
      Mathias Nyman 提交于
      A SuperSpeedPlus roothub needs to have the Link Protocol (LP) bit set in
      the bmSublinkSpeedAttr[] entry of a SuperSpeedPlus descriptor.
      
      If the xhci controller has an optional Protocol Speed ID (PSI) table then
      that will be used as a base to create the roothub SuperSpeedPlus
      descriptor.
      The PSI table does not however necessary contain the LP bit so we need
      to set it manually.
      
      Check the psi speed and set LP bit if speed is 10Gbps or higher.
      We're not setting it for 5 to 10Gbps as USB 3.1 specification always
      mention SuperSpeedPlus for 10Gbps or higher, and some SSIC USB 3.0 speeds
      can be over 5Gbps, such as SSIC-G3B-L1 at 5830 Mbps
      
      Cc: <stable@vger.kernel.org> # 4.6+
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7bea22b1
    • M
      xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround · 4ec1cd3e
      Mathias Nyman 提交于
      The flow control workaround for ASM1042A xHC hosts sleeps between
      register polling. The workaround gets called in several places, among
      them with spin_lock_irq() held when xHC host is resumed or hoplug removed.
      
      This was noticed as kernel panics at resume on a Dell XPS15 9550 with
      TB16 thunderbolt dock.
      
      Avoid sleeping with spin_lock_irq() held, use udelay() instead
      
      The original workaround was added to 4.9 and 4.12 stable releases,
      this patch needs to be applied to those as well.
      
      Fixes: 9da5a109 ("xhci: Bad Ethernet performance plugged in ASM1042A host")
      Cc: <stable@vger.kernel.org> #4.9+
      Reported-by: NJose Marino <marinoj@nso.edu>
      Tested-by: NJose Marino <marinoj@nso.edu>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ec1cd3e
    • A
      usb: host: xhci-plat: allow sysdev to inherit from ACPI · c6b8e793
      Adam Wallis 提交于
      Commit 4c39d4b9 ("usb: xhci: use bus->sysdev for DMA configuration")
      updated the method determining DMA for XHCI from sysdev. However, this
      patch broke the ability to enumerate the FWNODE from parent ACPI devices
      from the child plat XHCI device.
      
      Currently, xhci_plat is not set up properly when the parent device is an
      ACPI node. The conditions that xhci_plat_probe should satisfy are
      
      1. xhci_plat comes from firmware
      2. xhci_plat is child of a device from firmware (dwc3-plat)
      3. xhci_plat is grandchild of a pci device (dwc3-pci)
      
      Case 2 is covered when the child is an OF node (by checking
      sysdev->parent->of_node), however, an ACPI parent will return NULL in
      the of_node check and will thus not result in sysdev being set to
      sysdev->parent
      
      [   17.591549] xhci-hcd: probe of xhci-hcd.6.auto failed with error -5
      
      This change adds a check for ACPI to completely allow for condition 2.
      This is done by first checking if the parent node is of type ACPI (e.g.,
      dwc3-plat) and set sysdev to sysdev->parent if either of the two
      following conditions are met:
      
      1: If fwnode is empty (in the case that platform_device_add_properties
      was not called on the allocated platform device)
      2: fwnode exists but is not of type ACPI (this would happen if
      platform_device_add_properties was called on the allocated device.
      Instead of type FWNODE_ACPI, you would end up with FWNODE_PDATA)
      
      Cc: stable@vger.kernel.org #4.12.x
      Cc: stable@vger.kernel.org #4.13.x
      
      Fixes: 4c39d4b9 ("usb: xhci: use bus->sysdev for DMA configuration")
      Tested-by: NThang Q. Nguyen <tqnguyen@apm.com>
      Signed-off-by: NAdam Wallis <awallis@codeaurora.org>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6b8e793
    • M
      xhci: fix wrong endpoint ESIT value shown in tracing · 76a14d7b
      Mathias Nyman 提交于
      Read the endpiont ESIT from endpiont context using correct macro.
      Add a macro for reading the high bits of ESIT for Large ESIT Payload
      Capable hosts (LEC=1)
      
      Cc: <stable@vger.kernel.org> # 4.12
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76a14d7b
    • J
      usb: pci-quirks.c: Corrected timeout values used in handshake · 114ec3a6
      Jim Dickerson 提交于
      Servers were emitting failed handoff messages but were not
      waiting the full 1 second as designated in section 4.22.1 of
      the eXtensible Host Controller Interface specifications. The
      handshake was using wrong units so calls were made with milliseconds
      not microseconds. Comments referenced 5 seconds not 1 second as
      in specs.
      
      The wrong units were also corrected in a second handshake call.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJim Dickerson <jim.dickerson@hpe.com>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      114ec3a6
    • M
      xhci: fix finding correct bus_state structure for USB 3.1 hosts · 5a838a13
      Mathias Nyman 提交于
      xhci driver keeps a bus_state structure for each hcd (usb2 and usb3)
      
      The structure is picked based on hcd speed, but driver only compared
      for HCD_USB3 speed, returning the wrong bus_state for HCD_USB31 hosts.
      
      This caused null pointer dereference errors in bus_resume function.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a838a13
    • L
      usb: xhci: Free the right ring in xhci_add_endpoint() · 9821786d
      Lu Baolu 提交于
      In the xhci_add_endpoint(), a new ring was allocated and saved at
      xhci_virt_ep->new_ring. Hence, when error happens, we need to free
      the allocated ring before returning error.
      
      Current code frees xhci_virt_ep->ring instead of the new_ring. This
      patch fixes this.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9821786d
    • F
      usb: dwc3: ep0: fix DMA starvation by assigning req->trb on ep0 · 55168470
      Felipe Balbi 提交于
      If we don't assign a TRB to ep0 requests, we won't be able to unmap
      the request later on resulting in starvation of DMA resources.
      
      Fixes: 4a71fcb8 ("usb: dwc3: gadget: only unmap requests from DMA if mapped")
      Reported-by: NThinh Nguyen <Thinh.Nguyen@synopsys.com>
      Tested-by: NThinh Nguyen <Thinh.Nguyen@synopsys.com>
      Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      55168470
    • D
      usb: Increase quirk delay for USB devices · b2a542bb
      Dmitry Fleytman 提交于
      Commit e0429362
      ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
      introduced quirk to workaround an issue with some Logitech webcams.
      
      The workaround is introducing delay for some USB operations.
      
      According to our testing, delay introduced by original commit
      is not long enough and in rare cases we still see issues described
      by the aforementioned commit.
      
      This patch increases delays introduced by original commit.
      Having this patch applied we do not see those problems anymore.
      Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2a542bb
    • A
      uwb: properly check kthread_run return value · bbf26183
      Andrey Konovalov 提交于
      uwbd_start() calls kthread_run() and checks that the return value is
      not NULL. But the return value is not NULL in case kthread_run() fails,
      it takes the form of ERR_PTR(-EINTR).
      
      Use IS_ERR() instead.
      
      Also add a check to uwbd_stop().
      Signed-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbf26183
    • A
      uwb: ensure that endpoint is interrupt · 70e743e4
      Andrey Konovalov 提交于
      hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no
      check for that, which results in a WARNING in USB core code, when a bad
      USB descriptor is provided from a device:
      
      usb 1-1: BOGUS urb xfer, pipe 1 != type 3
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
      Modules linked in:
      CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Workqueue: usb_hub_wq hub_event
      task: ffff88006bdc1a00 task.stack: ffff88006bde8000
      RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
      RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282
      RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000
      RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a
      RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff
      R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f
      R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90
      FS:  0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0
      Call Trace:
       hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710
       uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361
       hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858
       usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
       really_probe drivers/base/dd.c:385
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
       bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
       __device_attach+0x269/0x3c0 drivers/base/dd.c:682
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
       bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
       device_add+0xcf9/0x1640 drivers/base/core.c:1703
       usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
       generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
       usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
       really_probe drivers/base/dd.c:385
       driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
       __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
       bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
       __device_attach+0x269/0x3c0 drivers/base/dd.c:682
       device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
       bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
       device_add+0xcf9/0x1640 drivers/base/core.c:1703
       usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
       hub_port_connect drivers/usb/core/hub.c:4890
       hub_port_connect_change drivers/usb/core/hub.c:4996
       port_event drivers/usb/core/hub.c:5102
       hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182
       process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
       worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
       kthread+0x324/0x3f0 kernel/kthread.c:231
       ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
      Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89
      e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
      ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
      ---[ end trace 55d741234124cfc3 ]---
      
      Check that endpoint is interrupt.
      
      Found by syzkaller.
      Signed-off-by: NAndrey Konovalov <andreyknvl@google.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70e743e4
  9. 17 9月, 2017 1 次提交