1. 16 Sep, 2019 1 commit
  2. 28 Aug, 2019 8 commits
  3. 21 Aug, 2019 4 commits
  4. 15 Aug, 2019 8 commits
    • Christoph Hellwig's avatar
      usb: add a hcd_uses_dma helper · edfbcb32
      Christoph Hellwig authored
      The USB buffer allocation code is the only place in the usb core (and in
      fact the whole kernel) that uses is_device_dma_capable, while the URB
      mapping code uses the uses_dma flag in struct usb_bus.  Switch the buffer
      allocation to use the uses_dma flag used by the rest of the USB code,
      and create a helper in hcd.h that checks this flag as well as the
      CONFIG_HAS_DMA to simplify the caller a bit.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/r/20190811080520.21712-3-hch@lst.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      edfbcb32
    • Christoph Hellwig's avatar
      usb: don't create dma pools for HCDs with a localmem_pool · dd3ecf17
      Christoph Hellwig authored
      If the HCD provides a localmem pool we will never use the DMA pools, so
      don't create them.
      
      Fixes: b0310c2f ("USB: use genalloc for USB HCs with local memory")
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/r/20190811080520.21712-2-hch@lst.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd3ecf17
    • André Draszik's avatar
      usb: chipidea: imx: fix EPROBE_DEFER support during driver probe · 141822aa
      André Draszik authored
      If driver probe needs to be deferred, e.g. because ci_hdrc_add_device()
      isn't ready yet, this driver currently misbehaves badly:
          a) success is still reported to the driver core (meaning a 2nd
             probe attempt will never be done), leaving the driver in
             a dysfunctional state and the hardware unusable
      
          b) driver remove / shutdown OOPSes:
          [  206.786916] Unable to handle kernel paging request at virtual address fffffdff
          [  206.794148] pgd = 880b9f82
          [  206.796890] [fffffdff] *pgd=abf5e861, *pte=00000000, *ppte=00000000
          [  206.803179] Internal error: Oops: 37 [#1] PREEMPT SMP ARM
          [  206.808581] Modules linked in: wl18xx evbug
          [  206.813308] CPU: 1 PID: 1 Comm: systemd-shutdow Not tainted 4.19.35+gf345c93b4195 #1
          [  206.821053] Hardware name: Freescale i.MX7 Dual (Device Tree)
          [  206.826813] PC is at ci_hdrc_remove_device+0x4/0x20
          [  206.831699] LR is at ci_hdrc_imx_remove+0x20/0xe8
          [  206.836407] pc : [<805cd4b0>]    lr : [<805d62cc>]    psr: 20000013
          [  206.842678] sp : a806be40  ip : 00000001  fp : 80adbd3c
          [  206.847906] r10: 80b1b794  r9 : 80d5dfe0  r8 : a8192c44
          [  206.853136] r7 : 80db93a0  r6 : a8192c10  r5 : a8192c00  r4 : a93a4a00
          [  206.859668] r3 : 00000000  r2 : a8192ce4  r1 : ffffffff  r0 : fffffdfb
          [  206.866201] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          [  206.873341] Control: 10c5387d  Table: a9e0c06a  DAC: 00000051
          [  206.879092] Process systemd-shutdow (pid: 1, stack limit = 0xb271353c)
          [  206.885624] Stack: (0xa806be40 to 0xa806c000)
          [  206.889992] be40: a93a4a00 805d62cc a8192c1c a8170e10 a8192c10 8049a490 80d04d08 00000000
          [  206.898179] be60: 00000000 80d0da2c fee1dead 00000000 a806a000 00000058 00000000 80148b08
          [  206.906366] be80: 01234567 80148d8c a9858600 00000000 00000000 00000000 00000000 80d04d08
          [  206.914553] bea0: 00000000 00000000 a82741e0 a9858600 00000024 00000002 a9858608 00000005
          [  206.922740] bec0: 0000001e 8022c058 00000000 00000000 a806bf14 a9858600 00000000 a806befc
          [  206.930927] bee0: a806bf78 00000000 7ee12c30 8022c18c a806bef8 a806befc 00000000 00000001
          [  206.939115] bf00: 00000000 00000024 a806bf14 00000005 7ee13b34 7ee12c68 00000004 7ee13f20
          [  206.947302] bf20: 00000010 7ee12c7c 00000005 7ee12d04 0000000a 76e7dc00 00000001 80d0f140
          [  206.955490] bf40: ab637880 a974de40 60000013 80d0f140 ab6378a0 80d04d08 a8080470 a9858600
          [  206.963677] bf60: a9858600 00000000 00000000 8022c24c 00000000 80144310 00000000 00000000
          [  206.971864] bf80: 80101204 80d04d08 00000000 80d04d08 00000000 00000000 00000003 00000058
          [  206.980051] bfa0: 80101204 80101000 00000000 00000000 fee1dead 28121969 01234567 00000000
          [  206.988237] bfc0: 00000000 00000000 00000003 00000058 00000000 00000000 00000000 00000000
          [  206.996425] bfe0: 0049ffb0 7ee13d58 0048a84b 76f245a6 60000030 fee1dead 00000000 00000000
          [  207.004622] [<805cd4b0>] (ci_hdrc_remove_device) from [<805d62cc>] (ci_hdrc_imx_remove+0x20/0xe8)
          [  207.013509] [<805d62cc>] (ci_hdrc_imx_remove) from [<8049a490>] (device_shutdown+0x16c/0x218)
          [  207.022050] [<8049a490>] (device_shutdown) from [<80148b08>] (kernel_restart+0xc/0x50)
          [  207.029980] [<80148b08>] (kernel_restart) from [<80148d8c>] (sys_reboot+0xf4/0x1f0)
          [  207.037648] [<80148d8c>] (sys_reboot) from [<80101000>] (ret_fast_syscall+0x0/0x54)
          [  207.045308] Exception stack(0xa806bfa8 to 0xa806bff0)
          [  207.050368] bfa0:                   00000000 00000000 fee1dead 28121969 01234567 00000000
          [  207.058554] bfc0: 00000000 00000000 00000003 00000058 00000000 00000000 00000000 00000000
          [  207.066737] bfe0: 0049ffb0 7ee13d58 0048a84b 76f245a6
          [  207.071799] Code: ebffffa8 e3a00000 e8bd8010 e92d4010 (e5904004)
          [  207.078021] ---[ end trace be47424e3fd46e9f ]---
          [  207.082647] Kernel panic - not syncing: Fatal exception
          [  207.087894] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
          c) the error path in combination with driver removal causes
             imbalanced calls to the clk_*() and pm_()* APIs
      
      a) happens because the original intended return value is
         overwritten (with 0) by the return code of
         regulator_disable() in ci_hdrc_imx_probe()'s error path
      b) happens because ci_pdev is -EPROBE_DEFER, which causes
         ci_hdrc_remove_device() to OOPS
      
      Fix a) by being more careful in ci_hdrc_imx_probe()'s error
      path and not overwriting the real error code
      
      Fix b) by calling the respective cleanup functions during
      remove only when needed (when ci_pdev != NULL, i.e. when
      everything was initialised correctly). This also has the
      side effect of not causing imbalanced clk_*() and pm_*()
      API calls as part of the error code path.
      
      Fixes: 7c8e8909 ("usb: chipidea: imx: add HSIC support")
      Signed-off-by: default avatarAndré Draszik <git@andred.net>
      Cc: stable <stable@vger.kernel.org>
      CC: Peter Chen <Peter.Chen@nxp.com>
      CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      CC: Shawn Guo <shawnguo@kernel.org>
      CC: Sascha Hauer <s.hauer@pengutronix.de>
      CC: Pengutronix Kernel Team <kernel@pengutronix.de>
      CC: Fabio Estevam <festevam@gmail.com>
      CC: NXP Linux Team <linux-imx@nxp.com>
      CC: linux-usb@vger.kernel.org
      CC: linux-arm-kernel@lists.infradead.org
      CC: linux-kernel@vger.kernel.org
      Link: https://lore.kernel.org/r/20190810150758.17694-1-git@andred.netSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      141822aa
    • Hans Ulli Kroll's avatar
      usb: host: fotg2: restart hcd after port reset · 77775888
      Hans Ulli Kroll authored
      On the Gemini SoC the FOTG2 stalls after port reset
      so restart the HCD after each port reset.
      Signed-off-by: default avatarHans Ulli Kroll <ulli.kroll@googlemail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Link: https://lore.kernel.org/r/20190810150458.817-1-linus.walleij@linaro.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77775888
    • Oliver Neukum's avatar
      USB: CDC: fix sanity checks in CDC union parser · 54364278
      Oliver Neukum authored
      A few checks checked for the size of the pointer to a structure
      instead of the structure itself. Copy & paste issue presumably.
      
      Fixes: e4c6fb77 ("usbnet: move the CDC parser into USB core")
      Cc: stable <stable@vger.kernel.org>
      Reported-by: syzbot+45a53506b65321c1fe91@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20190813093541.18889-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54364278
    • Oliver Neukum's avatar
      usb: cdc-acm: make sure a refcount is taken early enough · c52873e5
      Oliver Neukum authored
      destroy() will decrement the refcount on the interface, so that
      it needs to be taken so early that it never undercounts.
      
      Fixes: 7fb57a01 ("USB: cdc-acm: Fix potential deadlock (lockdep warning)")
      Cc: stable <stable@vger.kernel.org>
      Reported-and-tested-by: syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Link: https://lore.kernel.org/r/20190808142119.7998-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c52873e5
    • Bob Ham's avatar
      USB: serial: option: add the BroadMobi BM818 card · e5d8badf
      Bob Ham authored
      Add a VID:PID for the BroadMobi BM818 M.2 card
      
      T:  Bus=01 Lev=03 Prnt=40 Port=03 Cnt=01 Dev#= 44 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=2060 Rev=00.00
      S:  Manufacturer=Qualcomm, Incorporated
      S:  Product=Qualcomm CDMA Technologies MSM
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=(none)
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      Signed-off-by: Bob Ham's avatarBob Ham <bob.ham@puri.sm>
      Signed-off-by: default avatarAngus Ainslie (Purism) <angus@akkea.ca>
      Cc: stable <stable@vger.kernel.org>
      [ johan: use USB_DEVICE_INTERFACE_CLASS() ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      e5d8badf
    • Tony Lindgren's avatar
      USB: serial: option: Add Motorola modem UARTs · 6caf0be4
      Tony Lindgren authored
      On Motorola Mapphone devices such as Droid 4 there are five USB ports
      that do not use the same layout as Gobi 1K/2K/etc devices listed in
      qcserial.c. So we should use qcaux.c or option.c as noted by
      Dan Williams <dan.j.williams@intel.com>.
      
      As the Motorola USB serial ports have an interrupt endpoint as shown
      with lsusb -v, we should use option.c instead of qcaux.c as pointed out
      by Johan Hovold <johan@kernel.org>.
      
      The ff/ff/ff interfaces seem to always be UARTs on Motorola devices.
      For the other interfaces, class 0x0a (CDC Data) should not in general
      be added as they are typically part of a multi-interface function as
      noted earlier by Bjørn Mork <bjorn@mork.no>.
      
      However, looking at the Motorola mapphone kernel code, the mdm6600 0x0a
      class is only used for flashing the modem firmware, and there are no
      other interfaces. So I've added that too with more details below as it
      works just fine.
      
      The ttyUSB ports on Droid 4 are:
      
      ttyUSB0 DIAG, CQDM-capable
      ttyUSB1 MUX or NMEA, no response
      ttyUSB2 MUX or NMEA, no response
      ttyUSB3 TCMD
      ttyUSB4 AT-capable
      
      The ttyUSB0 is detected as QCDM capable by ModemManager. I think
      it's only used for debugging with ModemManager --debug for sending
      custom AT commands though. ModemManager already can manage data
      connection using the USB QMI ports that are already handled by the
      qmi_wwan.c driver.
      
      To enable the MUX or NMEA ports, it seems that something needs to be
      done additionally to enable them, maybe via the DIAG or TCMD port.
      It might be just a NVRAM setting somewhere, but I have no idea what
      NVRAM settings may need changing for that.
      
      The TCMD port seems to be a Motorola custom protocol for testing
      the modem and to configure it's NVRAM and seems to work just fine
      based on a quick test with a minimal tcmdrw tool I wrote.
      
      The voice modem AT-capable port seems to provide only partial
      support, and no PM support compared to the TS 27.010 based UART
      wired directly to the modem.
      
      The UARTs added with this change are the same product IDs as the
      Motorola Mapphone Android Linux kernel mdm6600_id_table. I don't
      have any mdm9600 based devices, so I have only tested these on
      mdm6600 based droid 4.
      
      Then for the class 0x0a (CDC Data) mode, the Motorola Mapphone Android
      Linux kernel driver moto_flashqsc.c just seems to change the
      port->bulk_out_size to 8K from the default. And is only used for
      flashing the modem firmware it seems.
      
      I've verified that flashing the modem with signed firmware works just
      fine with the option driver after manually toggling the GPIO pins, so
      I've added droid 4 modem flashing mode to the option driver. I've not
      added the other devices listed in moto_flashqsc.c in case they really
      need different port->bulk_out_size. Those can be added as they get
      tested to work for flashing the modem.
      
      After this patch the output of /sys/kernel/debug/usb/devices has
      the following for normal 22b8:2a70 mode including the related qmi_wwan
      interfaces:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22b8 ProdID=2a70 Rev= 0.00
      S:  Manufacturer=Motorola, Incorporated
      S:  Product=Flash MZ600
      C:* #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=83(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=84(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=05(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=88(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=06(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=8a(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=07(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=8b(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=8c(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=08(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
      E:  Ad=8d(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
      E:  Ad=8e(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=09(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      
      In 22b8:900e "qc_dload" mode the device shows up as:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22b8 ProdID=900e Rev= 0.00
      S:  Manufacturer=Motorola, Incorporated
      S:  Product=Flash MZ600
      C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      
      And in 22b8:4281 "ram_downloader" mode the device shows up as:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22b8 ProdID=4281 Rev= 0.00
      S:  Manufacturer=Motorola, Incorporated
      S:  Product=Flash MZ600
      C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=fc Driver=option
      E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      
      Cc: Bjørn Mork <bjorn@mork.no>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Lars Melin <larsm17@gmail.com>
      Cc: Marcel Partap <mpartap@gmx.net>
      Cc: Merlijn Wajer <merlijn@wizzup.org>
      Cc: Michael Scott <hashcode0f@gmail.com>
      Cc: NeKit <nekit1000@gmail.com>
      Cc: Pavel Machek <pavel@ucw.cz>
      Cc: Sebastian Reichel <sre@kernel.org>
      Tested-by: Pavel Machek's avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      6caf0be4
  5. 12 Aug, 2019 4 commits
    • Alan Stern's avatar
      USB: core: Fix races in character device registration and deregistraion · 303911cf
      Alan Stern authored
      The syzbot fuzzer has found two (!) races in the USB character device
      registration and deregistration routines.  This patch fixes the races.
      
      The first race results from the fact that usb_deregister_dev() sets
      usb_minors[intf->minor] to NULL before calling device_destroy() on the
      class device.  This leaves a window during which another thread can
      allocate the same minor number but will encounter a duplicate name
      error when it tries to register its own class device.  A typical error
      message in the system log would look like:
      
          sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'
      
      The patch fixes this race by destroying the class device first.
      
      The second race is in usb_register_dev().  When that routine runs, it
      first allocates a minor number, then drops minor_rwsem, and then
      creates the class device.  If the device creation fails, the minor
      number is deallocated and the whole routine returns an error.  But
      during the time while minor_rwsem was dropped, there is a window in
      which the minor number is allocated and so another thread can
      successfully open the device file.  Typically this results in
      use-after-free errors or invalid accesses when the other thread closes
      its open file reference, because the kernel then tries to release
      resources that were already deallocated when usb_register_dev()
      failed.  The patch fixes this race by keeping minor_rwsem locked
      throughout the entire routine.
      
      Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      303911cf
    • Benjamin Herrenschmidt's avatar
      usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt · 4a56a478
      Benjamin Herrenschmidt authored
      If fsg_disable() and fsg_set_alt() are called too closely to each
      other (for example due to a quick reset/reconnect), what can happen
      is that fsg_set_alt sets common->new_fsg from an interrupt while
      handle_exception is trying to process the config change caused by
      fsg_disable():
      
      	fsg_disable()
      	...
      	handle_exception()
      		sets state back to FSG_STATE_NORMAL
      		hasn't yet called do_set_interface()
      		or is inside it.
      
       ---> interrupt
      	fsg_set_alt
      		sets common->new_fsg
      		queues a new FSG_STATE_CONFIG_CHANGE
       <---
      
      Now, the first handle_exception can "see" the updated
      new_fsg, treats it as if it was a fsg_set_alt() response,
      call usb_composite_setup_continue() etc...
      
      But then, the thread sees the second FSG_STATE_CONFIG_CHANGE,
      and goes back down the same path, wipes and reattaches a now
      active fsg, and .. calls usb_composite_setup_continue() which
      at this point is wrong.
      
      Not only we get a backtrace, but I suspect the second set_interface
      wrecks some state causing the host to get upset in my case.
      
      This fixes it by replacing "new_fsg" by a "state argument" (same
      principle) which is set in the same lock section as the state
      update, and retrieved similarly.
      
      That way, there is never any discrepancy between the dequeued
      state and the observed value of it. We keep the ability to have
      the latest reconfig operation take precedence, but we guarantee
      that once "dequeued" the argument (new_fsg) will not be clobbered
      by any new event.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      4a56a478
    • Benjamin Herrenschmidt's avatar
      usb: gadget: composite: Clear "suspended" on reset/disconnect · 602fda17
      Benjamin Herrenschmidt authored
      In some cases, one can get out of suspend with a reset or
      a disconnect followed by a reconnect. Previously we would
      leave a stale suspended flag set.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      602fda17
    • Yoshihiro Shimoda's avatar
      usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role" · 5dac665c
      Yoshihiro Shimoda authored
      Since the role_store() uses strncmp(), it's possible to refer
      out-of-memory if the sysfs data size is smaller than strlen("host").
      This patch fixes it by using sysfs_streq() instead of strncmp().
      
      Fixes: cc995c9e ("usb: gadget: udc: renesas_usb3: add support for usb role swap")
      Cc: <stable@vger.kernel.org> # v4.12+
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      5dac665c
  6. 08 Aug, 2019 3 commits
  7. 05 Aug, 2019 4 commits
    • Gavin Li's avatar
      usb: usbfs: fix double-free of usb memory upon submiturb error · c43f28df
      Gavin Li authored
      Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
      gets called once by the error handling tail and again by free_async().
      Remove the first call.
      Signed-off-by: default avatarGavin Li <git@thegavinli.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c43f28df
    • Suzuki K Poulose's avatar
      usb: yurex: Fix use-after-free in yurex_delete · fc05481b
      Suzuki K Poulose authored
      syzbot reported the following crash [0]:
      
      BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
      drivers/usb/core/usb.c:928
      Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007
      
      CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
        yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
        kref_put include/linux/kref.h:65 [inline]
        yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
        __fput+0x2d7/0x840 fs/file_table.c:280
        task_work_run+0x13f/0x1c0 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:188 [inline]
        exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
        prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
        do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x413511
      Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
      83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
      89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
      RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
      RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
      RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
      R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
      R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff
      
      Allocated by task 2776:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_kmalloc mm/kasan/common.c:487 [inline]
        __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
        kmalloc include/linux/slab.h:552 [inline]
        kzalloc include/linux/slab.h:748 [inline]
        usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
        hub_port_connect drivers/usb/core/hub.c:5004 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        worker_thread+0x96/0xe20 kernel/workqueue.c:2415
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Freed by task 16007:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
        slab_free_hook mm/slub.c:1423 [inline]
        slab_free_freelist_hook mm/slub.c:1470 [inline]
        slab_free mm/slub.c:3012 [inline]
        kfree+0xe4/0x2f0 mm/slub.c:3953
        device_release+0x71/0x200 drivers/base/core.c:1064
        kobject_cleanup lib/kobject.c:693 [inline]
        kobject_release lib/kobject.c:722 [inline]
        kref_put include/linux/kref.h:65 [inline]
        kobject_put+0x171/0x280 lib/kobject.c:739
        put_device+0x1b/0x30 drivers/base/core.c:2213
        usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
        yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
        kref_put include/linux/kref.h:65 [inline]
        yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
        __fput+0x2d7/0x840 fs/file_table.c:280
        task_work_run+0x13f/0x1c0 kernel/task_work.c:113
        tracehook_notify_resume include/linux/tracehook.h:188 [inline]
        exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
        prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
        do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8881b1859980
        which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 72 bytes inside of
        2048-byte region [ffff8881b1859980, ffff8881b185a180)
      The buggy address belongs to the page:
      page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
      index:0x0 compound_mapcount: 0
      flags: 0x200000000010200(slab|head)
      raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
      raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
        ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      > ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                     ^
        ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      A quick look at the yurex_delete() shows that we drop the reference
      to the usb_device before releasing any buffers associated with the
      device. Delay the reference drop until we have finished the cleanup.
      
      [0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/
      
      Fixes: 6bc235a2 ("USB: add driver for Meywa-Denki & Kayac YUREX")
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
      Cc: Oliver Neukum <oneukum@suse.com>
      Cc: andreyknvl@google.com
      Cc: gregkh@linuxfoundation.org
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Cc: syzkaller-bugs@googlegroups.com
      Cc: dtor@chromium.org
      Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc05481b
    • Rogan Dawes's avatar
      USB: serial: option: add D-Link DWM-222 device ID · 552573e4
      Rogan Dawes authored
      Add device id for D-Link DWM-222 A2.
      
      MI_00 D-Link HS-USB Diagnostics
      MI_01 D-Link HS-USB Modem
      MI_02 D-Link HS-USB AT Port
      MI_03 D-Link HS-USB NMEA
      MI_04 D-Link HS-USB WWAN Adapter (qmi_wwan)
      MI_05 USB Mass Storage Device
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRogan Dawes <rogan@dawes.za.net>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      552573e4
    • Yoshiaki Okamoto's avatar
      USB: serial: option: Add support for ZTE MF871A · 7e7ae38b
      Yoshiaki Okamoto authored
      This patch adds support for MF871A USB modem (aka Speed USB STICK U03)
      to option driver. This modem is manufactured by ZTE corporation, and
      sold by KDDI.
      
      Interface layout:
      0: AT
      1: MODEM
      
      usb-devices output:
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  9 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=19d2 ProdID=1481 Rev=52.87
      S:  Manufacturer=ZTE,Incorporated
      S:  Product=ZTE Technologies MSM
      S:  SerialNumber=1234567890ABCDEF
      C:  #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      Co-developed-by: default avatarHiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
      Signed-off-by: default avatarHiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
      Signed-off-by: default avatarYoshiaki Okamoto <yokamoto@allied-telesis.co.jp>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      7e7ae38b
  8. 02 Aug, 2019 3 commits
  9. 01 Aug, 2019 1 commit
  10. 30 Jul, 2019 3 commits
    • Li Jun's avatar
      usb: typec: tcpm: remove tcpm dir if no children · 12ca7297
      Li Jun authored
      If config tcpm as module, module unload will not remove tcpm dir,
      then the next module load will have problem: the rootdir is NULL
      but tcpm dir is still there, so tcpm_debugfs_init() will create
      tcpm dir again with failure, fix it by remove the tcpm dir if no
      children.
      
      Cc: stable@vger.kernel.org # v4.15+
      Fixes: 4b4e02c8 ("typec: tcpm: Move out of staging")
      Signed-off-by: default avatarLi Jun <jun.li@nxp.com>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Link: https://lore.kernel.org/r/20190717080646.30421-2-jun.li@nxp.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12ca7297
    • Li Jun's avatar
      usb: typec: tcpm: free log buf memory when remove debug file · fd5da3e2
      Li Jun authored
      The logbuffer memory should be freed when remove debug file.
      
      Cc: stable@vger.kernel.org # v4.15+
      Fixes: 4b4e02c8 ("typec: tcpm: Move out of staging")
      Signed-off-by: default avatarLi Jun <jun.li@nxp.com>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Link: https://lore.kernel.org/r/20190717080646.30421-1-jun.li@nxp.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd5da3e2
    • Guenter Roeck's avatar
      usb: typec: tcpm: Add NULL check before dereferencing config · 1957de95
      Guenter Roeck authored
      When instantiating tcpm on an NXP OM 13588 board with NXP PTN5110,
      the following crash is seen when writing into the 'preferred_role'
      sysfs attribute.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000028
      pgd = f69149ad
      [00000028] *pgd=00000000
      Internal error: Oops: 5 [#1] THUMB2
      Modules linked in: tcpci tcpm
      CPU: 0 PID: 1882 Comm: bash Not tainted 5.1.18-sama5-armv7-r2 #4
      Hardware name: Atmel SAMA5
      PC is at tcpm_try_role+0x3a/0x4c [tcpm]
      LR is at tcpm_try_role+0x15/0x4c [tcpm]
      pc : [<bf8000e2>]    lr : [<bf8000bd>]    psr: 60030033
      sp : dc1a1e88  ip : c03fb47d  fp : 00000000
      r10: dc216190  r9 : dc1a1f78  r8 : 00000001
      r7 : df4ae044  r6 : dd032e90  r5 : dd1ce340  r4 : df4ae054
      r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : df4ae044
      Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA Thumb  Segment none
      Control: 50c53c7d  Table: 3efec059  DAC: 00000051
      Process bash (pid: 1882, stack limit = 0x6a6d4aa5)
      Stack: (0xdc1a1e88 to 0xdc1a2000)
      1e80:                   dd05d808 dd1ce340 00000001 00000007 dd1ce340 c03fb4a7
      1ea0: 00000007 00000007 dc216180 00000000 00000000 c01e1e03 00000000 00000000
      1ec0: c0907008 dee98b40 c01e1d5d c06106c4 00000000 00000000 00000007 c0194e8b
      1ee0: 0000000a 00000400 00000000 c01a97db dc22bf00 ffffe000 df4b6a00 df745900
      1f00: 00000001 00000001 000000dd c01a9c2f 7aeab3be c0907008 00000000 dc22bf00
      1f20: c0907008 00000000 00000000 00000000 00000000 7aeab3be 00000007 dee98b40
      1f40: 005dc318 dc1a1f78 00000000 00000000 00000007 c01969f7 0000000a c01a20cb
      1f60: dee98b40 c0907008 dee98b40 005dc318 00000000 c0196b9b 00000000 00000000
      1f80: dee98b40 7aeab3be 00000074 005dc318 b6f3bdb0 00000004 c0101224 dc1a0000
      1fa0: 00000004 c0101001 00000074 005dc318 00000001 005dc318 00000007 00000000
      1fc0: 00000074 005dc318 b6f3bdb0 00000004 00000007 00000007 00000000 00000000
      1fe0: 00000004 be800880 b6ed35b3 b6e5c746 60030030 00000001 00000000 00000000
      [<bf8000e2>] (tcpm_try_role [tcpm]) from [<c03fb4a7>] (preferred_role_store+0x2b/0x5c)
      [<c03fb4a7>] (preferred_role_store) from [<c01e1e03>] (kernfs_fop_write+0xa7/0x150)
      [<c01e1e03>] (kernfs_fop_write) from [<c0194e8b>] (__vfs_write+0x1f/0x104)
      [<c0194e8b>] (__vfs_write) from [<c01969f7>] (vfs_write+0x6b/0x104)
      [<c01969f7>] (vfs_write) from [<c0196b9b>] (ksys_write+0x43/0x94)
      [<c0196b9b>] (ksys_write) from [<c0101001>] (ret_fast_syscall+0x1/0x62)
      
      Since commit 96232cbc ("usb: typec: tcpm: support get typec and pd
      config from device properties"), the 'config' pointer in struct tcpc_dev
      is optional when registering a Type-C port. Since it is optional, we have
      to check if it is NULL before dereferencing it.
      Reported-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Cc: Douglas Gilbert <dgilbert@interlog.com>
      Fixes: 96232cbc ("usb: typec: tcpm: support get typec and pd config from device properties")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarJun Li <jun.li@nxp.com>
      Reviewed-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Link: https://lore.kernel.org/r/1563979112-22483-1-git-send-email-linux@roeck-us.netSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1957de95
  11. 25 Jul, 2019 1 commit