bka
23079 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Tommy Webb
|
626f66b50c |
Merge tag 'LA.UM.9.14.r1-26000-LAHAINA.QSSI15.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4 into android13-5.4-lahaina
LA.UM.9.14.r1-26000-LAHAINA.QSSI15.0 # By Prashanth K (6) and others # Via Gerrit - the friendly Code Review server (5) and others * tag 'clo/msm-5.4/LA.UM.9.14.r1-26000-LAHAINA.QSSI15.0': FROMGIT: media: venus: hfi: add a check to handle OOB in sfr region FROMGIT: media: venus: hfi: add check to handle incorrect queue size FROMGIT: media: venus: hfi_parser: refactor hfi packet parsing logic FROMGIT: media: venus: hfi_parser: add check to avoid out of bound access UPSTREAM: usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK UPSTREAM: usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK UPSTREAM: usb: xhci: Add error handling in xhci_map_urb_for_dma UPSTREAM: usb: xhci: Use temporary buffer to consolidate SG UPSTREAM: usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK defconfig: Enable RTL8152 ETH-USB driver msm: mhi_dev: Breaking memory for event request in smaller chunks msm: eva: Validating the SFR buffer size before accessing msm: eva: Copy back the validated size to avoid security issue Change-Id: Ibd883e18a8a410fb23eb3cda97e88b77c34cdbd7 |
||
|
Tommy Webb
|
3b5fdef6b4 |
Merge tag 'ASB-2025-03-05_11-5.4' into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2025-03-01 CVE-2024-46852 CVE-2024-50302 CVE-2025-22413 # By Greg Kroah-Hartman (7) and others # Via Greg Kroah-Hartman (3) and Terence Tritton (xWF) (1) * tag 'ASB-2025-03-05_11-5.4': ANDROID: ABI: Cuttlefish Symbol update Revert "net: net_namespace: Optimize the code" Revert "net: add exit_batch_rtnl() method" Revert "gtp: use exit_batch_rtnl() method" Revert "gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp()." Revert "gtp: Destroy device along with udp socket's netns dismantle." Linux 5.4.290 Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals drm/v3d: Assign job pointer to NULL before signaling the fence Input: xpad - add support for wooting two he (arm) Input: xpad - add unofficial Xbox 360 wireless receiver clone Input: atkbd - map F23 key to support default copilot shortcut Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path vfio/platform: check the bounds of read/write syscalls net/xen-netback: prevent UAF in xenvif_flush_hash() net: xen-netback: hash.c: Use built-in RCU list checking signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die m68k: Add missing mmap_read_lock() to sys_cacheflush() m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag irqchip/sunxi-nmi: Add missing SKIP_WAKE flag scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request ASoC: wm8994: Add depends on MFD core net: fix data-races around sk->sk_forward_alloc scsi: sg: Fix slab-use-after-free read in sg_release() ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() hrtimers: Handle CPU state correctly on hotplug irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly fs/proc: fix softlockup in __read_vmcore (part 2) net: ethernet: xgbe: re-add aneg to supported features in PHY quirks nvmet: propagate npwg topology poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() kheaders: Ignore silly-rename files hfs: Sanity check the root record mac802154: check local interfaces before deleting sdata list i2c: mux: demux-pinctrl: check initial mux selection, too drm/v3d: Ensure job pointer is set to NULL after job completion nfp: bpf: prevent integer overflow in nfp_bpf_event_output() gtp: Destroy device along with udp socket's netns dismantle. gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: use exit_batch_rtnl() method net: add exit_batch_rtnl() method net: net_namespace: Optimize the code net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() sctp: sysctl: rto_min/max: avoid using current->nsproxy ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv ocfs2: correct return value of ocfs2_local_free_info() phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: fix code style in devm_of_phy_provider_unregister arm64: dts: rockchip: add hevc power domain clock to rk3328 arm64: dts: rockchip: add #power-domain-cells to power domain nodes arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 arm64: dts: rockchip: fix defines in pd_vio node for rk3399 iio: inkern: call iio_device_put() only on mapped devices iio: adc: at91: call input_free_device() on allocated iio_dev iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() iio: gyro: fxas21002c: Fix missing data update in trigger handler iio: adc: ti-ads8688: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: pressure: zpa2326: fix information leak in triggered buffer usb: gadget: f_fs: Remove WARN_ON in functionfs_bind usb: fix reference leak in usb_new_device() USB: core: Disable LPM only for non-suspended ports USB: usblp: return error when setting unsupported protocol usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null USB: serial: cp210x: add Phoenix Contact UPS Device usb-storage: Add max sectors quirk for Nokia 208 staging: iio: ad9832: Correct phase range check staging: iio: ad9834: Correct phase range check USB: serial: option: add Neoway N723-EA support USB: serial: option: add MeiG Smart SRM815 drm/amd/display: increase MAX_SURFACES to the value supported by hw ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] drm/amd/display: Add check for granularity in dml ceil/floor helpers sctp: sysctl: auth_enable: avoid using current->nsproxy sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy dm thin: make get_first_thin use rcu-safe list first function tls: Fix tls_sw_sendmsg error handling net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute tcp/dccp: allow a connection when sk_max_ack_backlog is zero tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog net: 802: LLC+SNAP OID:PID lookup on start of skb data ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() dm array: fix cursor index when skipping across block boundaries dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix releasing a faulty array block twice in dm_array_cursor_end jbd2: flush filesystem device before updating tail sequence Change-Id: I83cf20e29c63126cd17dfa393dca0ce7dfa47a76 |
||
|
Prashanth K
|
95c448e702 |
UPSTREAM: usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK
Upstream commit bac1ec551434 ("usb: xhci: Set quirk for
XHCI_SG_TRB_CACHE_SIZE_QUIRK") introduced a new quirk in XHCI
which fixes XHC timeout, which was seen on synopsys XHCs while
using SG buffers. But the support for this quirk isn't present
in the DWC3 layer.
We will encounter this XHCI timeout/hung issue if we run iperf
loopback tests using RTL8156 ethernet adaptor on DWC3 targets
with scatter-gather enabled. This gets resolved after enabling
the XHCI_SG_TRB_CACHE_SIZE_QUIRK. This patch enables it using
the xhci device property since its needed for DWC3 controller.
In Synopsys DWC3 databook,
Table 9-3: xHCI Debug Capability Limitations
Chained TRBs greater than TRB cache size: The debug capability
driver must not create a multi-TRB TD that describes smaller
than a 1K packet that spreads across 8 or more TRBs on either
the IN TR or the OUT TR.
Change-Id: I51c065d76939b6fc34e80dc970568ba5c9d40567
Cc: stable@vger.kernel.org #5.11
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240116055816.1169821-2-quic_prashk@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
|
||
|
Prashanth K
|
4f6f18aa00 |
UPSTREAM: usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK
Upstream commit bac1ec551434 ("usb: xhci: Set quirk for
XHCI_SG_TRB_CACHE_SIZE_QUIRK") introduced a new quirk in XHCI
which fixes XHC timeout, which was seen on synopsys XHCs while
using SG buffers. Currently this quirk can only be set using
xhci private data. But there are some drivers like dwc3/host.c
which adds adds quirks using software node for xhci device.
Hence set this xhci quirk by iterating over device properties.
Change-Id: I29c31b05727851fd7c22809febc64589113bc1b9
Cc: stable@vger.kernel.org # 5.11
Fixes: bac1ec551434 ("usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK")
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Link: https://lore.kernel.org/r/20240116055816.1169821-3-quic_prashk@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
|
||
|
Prashanth K
|
43e62e158f |
UPSTREAM: usb: xhci: Add error handling in xhci_map_urb_for_dma
Currently xhci_map_urb_for_dma() creates a temporary buffer and copies the SG list to the new linear buffer. But if the kzalloc_node() fails, then the following sg_pcopy_to_buffer() can lead to crash since it tries to memcpy to NULL pointer. So return -ENOMEM if kzalloc returns null pointer. Change-Id: I5a2d953f8e9b2f2488f5daafdfbc7084db0ceb61 Cc: stable@vger.kernel.org # 5.11 Fixes: 2017a1e58472 ("usb: xhci: Use temporary buffer to consolidate SG") Signed-off-by: Prashanth K <quic_prashk@quicinc.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20240229141438.619372-10-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Prashanth K <quic_prashk@quicinc.com> |
||
|
Prashanth K
|
ea48826815 |
UPSTREAM: usb: xhci: Use temporary buffer to consolidate SG
The Synopsys xHC has an internal TRB cache of size TRB_CACHE_SIZE for each endpoint. The default value for TRB_CACHE_SIZE is 16 for SS and 8 for HS. The controller loads and updates the TRB cache from the transfer ring in system memory whenever the driver issues a start transfer or update transfer command. For chained TRBs, the Synopsys xHC requires that the total amount of bytes for all TRBs loaded in the TRB cache be greater than or equal to 1 MPS. Or the chain ends within the TRB cache (with a last TRB). If this requirement is not met, the controller will not be able to send or receive a packet and it will hang causing a driver timeout and error. This can be a problem if a class driver queues SG requests with many small-buffer entries. The XHCI driver will create a chained TRB for each entry which may trigger this issue. This patch adds logic to the XHCI driver to detect and prevent this from happening. For every (TRB_CACHE_SIZE - 2), we check the total buffer size of the SG list and if the last window of (TRB_CACHE_SIZE - 2) SG list length and we don't make up at least 1 MPS, we create a temporary buffer to consolidate full SG list into the buffer. We check at (TRB_CACHE_SIZE - 2) window because it is possible that there would be a link and/or event data TRB that take up to 2 of the cache entries. We discovered this issue with devices on other platforms but have not yet come across any device that triggers this on Linux. But it could be a real problem now or in the future. All it takes is N number of small chained TRBs. And other instances of the Synopsys IP may have smaller values for the TRB_CACHE_SIZE which would exacerbate the problem. Change-Id: I6d34805c32756c48b07be2ffa9aad72ab5af2bbe Signed-off-by: Tejas Joglekar <joglekar@synopsys.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20201208092912.1773650-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Prashanth K <quic_prashk@quicinc.com> |
||
|
Prashanth K
|
2a4f06f92c |
UPSTREAM: usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK
This commit uses the private data passed by parent device to set the quirk for Synopsys xHC. This patch fixes the SNPS xHC hang issue when the data is scattered across small buffers which does not make atleast MPS size for given TRB cache size of SNPS xHC. Change-Id: I1eb96096cfb7500b5ef4eb866170642bff0b2133 Signed-off-by: Tejas Joglekar <joglekar@synopsys.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Link: https://lore.kernel.org/r/20201208092912.1773650-2-mathias.nyman@linux.intel.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Prashanth K <quic_prashk@quicinc.com> |
||
|
Michael Bestas
|
b964d75b7e |
Merge tag 'LA.UM.9.14.r1-25800-LAHAINA.QSSI15.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4 into android13-5.4-lahaina
"LA.UM.9.14.r1-25800-LAHAINA.QSSI15.0" * tag 'LA.UM.9.14.r1-25800-LAHAINA.QSSI15.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4: msm: eva: Validating the SFR buffer size before accessing msm: eva: Copy back the validated size to avoid security issue msm: npu: Fix use after free issue USB: dwc3: gadget: Add stop transfer request for isoc transfers arm64: defconfig: Enable uvc for QCM6490 IOT target firmware: qcom_scm: do not clear dump mode from shutdown msm: virtio_npu: Fix use-after-free issue in unmap_buf msm: virtio_npu: Fix use-after-free issue in virt_npu_map_buf i2c: i2c-master-msm-geni: add null pointer check in event call back firmware: qcom_scm: handle echo b > /proc/sysrq-trigger scripts: mod: replace with a safe function msm: ep_pcie: Disable hot reset and ignore linkdown coresight-tmc: Replace deprecated function USB: dwc3: gadget: Queue data for 16 micro frames ahead in future power: reset: Disable support of dynamic download mode (ramdump) Conflicts: arch/arm64/boot/dts/vendor/bindings/sound/rt5645.txt Change-Id: I57c063465c2804c77c5a6f62acb6c7987a38bc7f |
||
|
Michael Bestas
|
b9715311a2 |
Merge tag 'ASB-2025-02-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2025-02-01 CVE-2024-53104 CVE-2025-0088 * tag 'ASB-2025-02-05_11-5.4' of https://android.googlesource.com/kernel/common: (449 commits) ANDROID: gki - change networking configuration ANDROID: kernelci build-break for 64-bit riscv clang builds (5.4 only) Revert "BACKPORT: RISC-V: Stop relying on GCC's register allocator's hueristics" Revert "ANDROID: declare sp_in_global outside of CONFIG_FRAME_POINTER" ANDROID: GKI: add Trimble symbol list UPSTREAM: selinux: ignore unknown extended permissions ANDROID: ABI: Update allowed list for galaxy Revert "netfilter: Replace zero-length array with flexible-array member" Revert "tracing: Constify string literal data member in struct trace_event_call" Revert "skb_expand_head() adjust skb->truesize incorrectly" Linux 5.4.289 ftrace: use preempt_enable/disable notrace macros to avoid double fault mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() drm: adv7511: Drop dsi single lane support net/sctp: Prevent autoclose integer overflow in sctp_association_init() sky2: Add device ID 11ab:4373 for Marvell 88E8075 pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking RDMA/uverbs: Prevent integer overflow issue modpost: fix the missed iteration for the max bit in do_input() modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host ... Conflicts: arch/arm64/boot/dts/vendor/bindings/clock/adi,axi-clkgen.yaml arch/arm64/boot/dts/vendor/bindings/clock/axi-clkgen.txt drivers/rpmsg/qcom_glink_native.c drivers/soc/qcom/socinfo.c Change-Id: I60727e0cdd974fda5ca71f938bc2f984a8bbf19a |
||
|
Greg Kroah-Hartman
|
21c9625b20 |
Merge 5.4.290 into android11-5.4-lts
Changes in 5.4.290 jbd2: flush filesystem device before updating tail sequence dm array: fix releasing a faulty array block twice in dm_array_cursor_end dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix cursor index when skipping across block boundaries ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() net: 802: LLC+SNAP OID:PID lookup on start of skb data tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog tcp/dccp: allow a connection when sk_max_ack_backlog is zero net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute tls: Fix tls_sw_sendmsg error handling dm thin: make get_first_thin use rcu-safe list first function sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy sctp: sysctl: auth_enable: avoid using current->nsproxy drm/amd/display: Add check for granularity in dml ceil/floor helpers ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] drm/amd/display: increase MAX_SURFACES to the value supported by hw USB: serial: option: add MeiG Smart SRM815 USB: serial: option: add Neoway N723-EA support staging: iio: ad9834: Correct phase range check staging: iio: ad9832: Correct phase range check usb-storage: Add max sectors quirk for Nokia 208 USB: serial: cp210x: add Phoenix Contact UPS Device usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null USB: usblp: return error when setting unsupported protocol USB: core: Disable LPM only for non-suspended ports usb: fix reference leak in usb_new_device() usb: gadget: f_fs: Remove WARN_ON in functionfs_bind iio: pressure: zpa2326: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: adc: ti-ads8688: fix information leak in triggered buffer iio: gyro: fxas21002c: Fix missing data update in trigger handler iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() iio: adc: at91: call input_free_device() on allocated iio_dev iio: inkern: call iio_device_put() only on mapped devices arm64: dts: rockchip: fix defines in pd_vio node for rk3399 arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 arm64: dts: rockchip: add #power-domain-cells to power domain nodes arm64: dts: rockchip: add hevc power domain clock to rk3328 phy: core: fix code style in devm_of_phy_provider_unregister phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider ocfs2: correct return value of ocfs2_local_free_info() ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv sctp: sysctl: rto_min/max: avoid using current->nsproxy net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() net: net_namespace: Optimize the code net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. nfp: bpf: prevent integer overflow in nfp_bpf_event_output() drm/v3d: Ensure job pointer is set to NULL after job completion i2c: mux: demux-pinctrl: check initial mux selection, too mac802154: check local interfaces before deleting sdata list hfs: Sanity check the root record kheaders: Ignore silly-rename files poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() nvmet: propagate npwg topology net: ethernet: xgbe: re-add aneg to supported features in PHY quirks fs/proc: fix softlockup in __read_vmcore (part 2) irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly hrtimers: Handle CPU state correctly on hotplug ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() scsi: sg: Fix slab-use-after-free read in sg_release() net: fix data-races around sk->sk_forward_alloc ASoC: wm8994: Add depends on MFD core scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request irqchip/sunxi-nmi: Add missing SKIP_WAKE flag gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal m68k: Add missing mmap_read_lock() to sys_cacheflush() signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die net: xen-netback: hash.c: Use built-in RCU list checking net/xen-netback: prevent UAF in xenvif_flush_hash() vfio/platform: check the bounds of read/write syscalls ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path ext4: fix slab-use-after-free in ext4_split_extent_at() USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Input: atkbd - map F23 key to support default copilot shortcut Input: xpad - add unofficial Xbox 360 wireless receiver clone Input: xpad - add support for wooting two he (arm) drm/v3d: Assign job pointer to NULL before signaling the fence xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals Linux 5.4.290 Change-Id: Ie2e10bc16d6eb9da965c01168b2b8854e5dfaf8c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ron Economos
|
4b7032d01e |
Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals
commit 448fe5a1a4b538b235a43e57863c3a078bd13b01 upstream.
commit 9734fd7a2777 ("xhci: use pm_ptr() instead of #ifdef for CONFIG_PM
conditionals") did not quite work properly in the 5.15.y branch where it was
applied to fix a build error when CONFIG_PM was set as it left the following
build errors still present:
ERROR: modpost: "xhci_suspend" [drivers/usb/host/xhci-pci.ko] undefined!
ERROR: modpost: "xhci_resume" [drivers/usb/host/xhci-pci.ko] undefined!
Fix this up by properly placing the #ifdef CONFIG_PM in the xhci-pci.c and
hcd.h files to handle this correctly.
Link: https://lore.kernel.org/r/133dbfa0-4a37-4ae0-bb95-1a35f668ec11@w6rz.net
Signed-off-by: Ron Economos <re@w6rz.net>
Link: https://lore.kernel.org/r/d0919169-ee06-4bdd-b2e3-2f776db90971@roeck-us.net
Reported-by: Guenter Roeck <linux@roeck-us.net>
[ Trimmed the partial revert down to an even smaller bit to only be what
is required to fix the build error - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Arnd Bergmann
|
1f91ebde6e |
xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
commit 130eac4170859fb368681e00d390f20f44bbf27b upstream.
A recent patch caused an unused-function warning in builds with
CONFIG_PM disabled, after the function became marked 'static':
drivers/usb/host/xhci-pci.c:91:13: error: 'xhci_msix_sync_irqs' defined but not used [-Werror=unused-function]
91 | static void xhci_msix_sync_irqs(struct xhci_hcd *xhci)
| ^~~~~~~~~~~~~~~~~~~
This could be solved by adding another #ifdef, but as there is
a trend towards removing CONFIG_PM checks in favor of helper
macros, do the same conversion here and use pm_ptr() to get
either a function pointer or NULL but avoid the warning.
As the hidden functions reference some other symbols, make
sure those are visible at compile time, at the minimal cost of
a few extra bytes for 'struct usb_device'.
Fixes: 9abe15d55dcc ("xhci: Move xhci MSI sync function to to xhci-pci")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20230328131114.1296430-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
76e7577bb8 |
Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null"
commit 086fd062bc3883ae1ce4166cff5355db315ad879 upstream. This reverts commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec. It is reported to cause crashes on Tegra systems, so revert it for now. Link: https://lore.kernel.org/r/1037c1ad-9230-4181-b9c3-167dbaa47644@nvidia.com Reported-by: Jon Hunter <jonathanh@nvidia.com> Cc: stable <stable@kernel.org> Cc: Lianqin Hu <hulianqin@vivo.com> Link: https://lore.kernel.org/r/2025011711-yippee-fever-a737@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Qasim Ijaz
|
fa4c747246 |
USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
commit 575a5adf48b06a2980c9eeffedf699ed5534fade upstream.
This patch addresses a null-ptr-deref in qt2_process_read_urb() due to
an incorrect bounds check in the following:
if (newport > serial->num_ports) {
dev_err(&port->dev,
"%s - port change to invalid port: %i\n",
__func__, newport);
break;
}
The condition doesn't account for the valid range of the serial->port
buffer, which is from 0 to serial->num_ports - 1. When newport is equal
to serial->num_ports, the assignment of "port" in the
following code is out-of-bounds and NULL:
serial_priv->current_port = newport;
port = serial->port[serial_priv->current_port];
The fix checks if newport is greater than or equal to serial->num_ports
indicating it is out-of-bounds.
Reported-by: syzbot <syzbot+506479ebf12fe435d01a@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=506479ebf12fe435d01a
Fixes:
|
||
|
Akash M
|
bfe60030fc |
usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream.
This commit addresses an issue related to below kernel panic where
panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
in functionsfs_bind, which easily leads to the following scenarios.
1.adb_write in adbd 2. UDC write via configfs
================= =====================
->usb_ffs_open_thread() ->UDC write
->open_functionfs() ->configfs_write_iter()
->adb_open() ->gadget_dev_desc_UDC_store()
->adb_write() ->usb_gadget_register_driver_owner
->driver_register()
->StartMonitor() ->bus_add_driver()
->adb_read() ->gadget_bind_driver()
<times-out without BIND event> ->configfs_composite_bind()
->usb_add_function()
->open_functionfs() ->ffs_func_bind()
->adb_open() ->functionfs_bind()
<ffs->state !=FFS_ACTIVE>
The adb_open, adb_read, and adb_write operations are invoked from the
daemon, but trying to bind the function is a process that is invoked by
UDC write through configfs, which opens up the possibility of a race
condition between the two paths. In this race scenario, the kernel panic
occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
enabled. This commit fixes the kernel panic by removing the unnecessary
WARN_ON.
Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 14.542395] Call trace:
[ 14.542464] ffs_func_bind+0x1c8/0x14a8
[ 14.542468] usb_add_function+0xcc/0x1f0
[ 14.542473] configfs_composite_bind+0x468/0x588
[ 14.542478] gadget_bind_driver+0x108/0x27c
[ 14.542483] really_probe+0x190/0x374
[ 14.542488] __driver_probe_device+0xa0/0x12c
[ 14.542492] driver_probe_device+0x3c/0x220
[ 14.542498] __driver_attach+0x11c/0x1fc
[ 14.542502] bus_for_each_dev+0x104/0x160
[ 14.542506] driver_attach+0x24/0x34
[ 14.542510] bus_add_driver+0x154/0x270
[ 14.542514] driver_register+0x68/0x104
[ 14.542518] usb_gadget_register_driver_owner+0x48/0xf4
[ 14.542523] gadget_dev_desc_UDC_store+0xf8/0x144
[ 14.542526] configfs_write_iter+0xf0/0x138
Fixes:
|
||
|
Ma Ke
|
b24a6afa56 |
usb: fix reference leak in usb_new_device()
commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 upstream.
When device_add(&udev->dev) succeeds and a later call fails,
usb_new_device() does not properly call device_del(). As comment of
device_add() says, 'if device_add() succeeds, you should call
device_del() when you want to get rid of it. If device_add() has not
succeeded, use only put_device() to drop the reference count'.
Found by code review.
Cc: stable <stable@kernel.org>
Fixes:
|
||
|
Kai-Heng Feng
|
7369c8ffc2 |
USB: core: Disable LPM only for non-suspended ports
commit 59bfeaf5454b7e764288d84802577f4a99bf0819 upstream. There's USB error when tegra board is shutting down: [ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113 [ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113 [ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113 [ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead [ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up [ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command The issue is caused by disabling LPM on already suspended ports. For USB2 LPM, the LPM is already disabled during port suspend. For USB3 LPM, port won't transit to U1/U2 when it's already suspended in U3, hence disabling LPM is only needed for ports that are not suspended. Cc: Wayne Chang <waynec@nvidia.com> Cc: stable <stable@kernel.org> Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown") Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Tested-by: Jon Hunter <jonathanh@nvidia.com> Link: https://lore.kernel.org/r/20241206074817.89189-1-kaihengf@nvidia.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jun Yan
|
01af472c23 |
USB: usblp: return error when setting unsupported protocol
commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 upstream.
Fix the regression introduced by commit d8c6edfa3f4e ("USB:
usblp: don't call usb_set_interface if there's a single alt"),
which causes that unsupported protocols can also be set via
ioctl when the num_altsetting of the device is 1.
Move the check for protocol support to the earlier stage.
Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt")
Cc: stable <stable@kernel.org>
Signed-off-by: Jun Yan <jerrysteve1101@gmail.com>
Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Lianqin Hu
|
f5f33fb57a |
usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null
commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec upstream.
Considering that in some extreme cases, when performing the
unbinding operation, gserial_disconnect has cleared gser->ioport,
which triggers gadget reconfiguration, and then calls gs_read_complete,
resulting in access to a null pointer. Therefore, ep is disabled before
gserial_disconnect sets port to null to prevent this from happening.
Call trace:
gs_read_complete+0x58/0x240
usb_gadget_giveback_request+0x40/0x160
dwc3_remove_requests+0x170/0x484
dwc3_ep0_out_start+0xb0/0x1d4
__dwc3_gadget_start+0x25c/0x720
kretprobe_trampoline.cfi_jt+0x0/0x8
kretprobe_trampoline.cfi_jt+0x0/0x8
udc_bind_to_driver+0x1d8/0x300
usb_gadget_probe_driver+0xa8/0x1dc
gadget_dev_desc_UDC_store+0x13c/0x188
configfs_write_iter+0x160/0x1f4
vfs_write+0x2d0/0x40c
ksys_write+0x7c/0xf0
__arm64_sys_write+0x20/0x30
invoke_syscall+0x60/0x150
el0_svc_common+0x8c/0xf8
do_el0_svc+0x28/0xa0
el0_svc+0x24/0x84
Fixes:
|
||
|
Johan Hovold
|
faa0eeaf36 |
USB: serial: cp210x: add Phoenix Contact UPS Device
commit 854eee93bd6e3dca619d47087af4d65b2045828e upstream.
Phoenix Contact sells UPS Quint devices [1] with a custom datacable [2]
that embeds a Silicon Labs converter:
Bus 001 Device 003: ID 1b93:1013 Silicon Labs Phoenix Contact UPS Device
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x1b93
idProduct 0x1013
bcdDevice 1.00
iManufacturer 1 Silicon Labs
iProduct 2 Phoenix Contact UPS Device
iSerial 3 <redacted>
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 2 Phoenix Contact UPS Device
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
[1] https://www.phoenixcontact.com/en-pc/products/power-supply-unit-quint-ps-1ac-24dc-10-2866763
[2] https://www.phoenixcontact.com/en-il/products/data-cable-preassembled-ifs-usb-datacable-2320500
Reported-by: Giuseppe Corbelli <giuseppe.corbelli@antaresvision.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Lubomir Rintel
|
a5754f7331 |
usb-storage: Add max sectors quirk for Nokia 208
commit cdef30e0774802df2f87024d68a9d86c3b99ca2a upstream. This fixes data corruption when accessing the internal SD card in mass storage mode. I am actually not too sure why. I didn't figure a straightforward way to reproduce the issue, but i seem to get garbage when issuing a lot (over 50) of large reads (over 120 sectors) are done in a quick succession. That is, time seems to matter here -- larger reads are fine if they are done with some delay between them. But I'm not great at understanding this sort of things, so I'll assume the issue other, smarter, folks were seeing with similar phones is the same problem and I'll just put my quirk next to theirs. The "Software details" screen on the phone is as follows: V 04.06 07-08-13 RM-849 (c) Nokia TL;DR version of the device descriptor: idVendor 0x0421 Nokia Mobile Phones idProduct 0x06c2 bcdDevice 4.06 iManufacturer 1 Nokia iProduct 2 Nokia 208 The patch assumes older firmwares are broken too (I'm unable to test, but no biggie if they aren't I guess), and I have no idea if newer firmware exists. Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> Cc: stable <stable@kernel.org> Acked-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/20250101212206.2386207-1-lkundrak@v3.sk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Michal Hrusecky
|
dffc4f7d2e |
USB: serial: option: add Neoway N723-EA support
commit f5b435be70cb126866fa92ffc6f89cda9e112c75 upstream. Update the USB serial option driver to support Neoway N723-EA. ID 2949:8700 Marvell Mobile Composite Device Bus T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2949 ProdID=8700 Rev= 1.00 S: Manufacturer=Marvell S: Product=Mobile Composite Device Bus S: SerialNumber=200806006809080000 C:* #Ifs= 5 Cfg#= 1 Atr=c0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0e(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Tested successfully connecting to the Internet via rndis interface after dialing via AT commands on If#=4 or If#=6. Not sure of the purpose of the other serial interface. Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com> Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Chukun Pan
|
f8d57de3c8 |
USB: serial: option: add MeiG Smart SRM815
commit c1947d244f807b1f95605b75a4059e7b37b5dcc3 upstream. It looks like SRM815 shares ID with SRM825L. T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2dee ProdID=4d22 Rev= 4.14 S: Manufacturer=MEIG S: Product=LTE-A Module S: SerialNumber=123456 C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> Link: https://lore.kernel.org/lkml/20241215100027.1970930-1-amadeus@jmu.edu.cn/ Link: https://lore.kernel.org/all/4333b4d0-281f-439d-9944-5570cbc4971d@gmail.com/ Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Tommy Webb
|
45610a015f |
Revert "usb: dwc3: dwc3-msm: Save dr_mode from DWC3 core node into mdwc"
This reverts commit 6dea6a501418e1561d48f141d288866d71684372. Reason for revert: Prevents device from entering deep sleep (possibly improper port). NOTE: dwc3_msm_role_allowed was added in a later change, specifically "usb: dwc3: dwc3-msm-core: Reject incompatible role/mode request", but it is necessary to modify it here due to that change's dependency on dr_mode being present where it is no longer available after this revert (it is available elsewhere). Issue: https://gitlab.com/LineageOS/issues/android/-/issues/8226 Issue: calyxos#2970 Change-Id: I03e9b7960d62999e019464b538a2642644e7fc6c |
||
|
Sultan Alsawaf
|
e21e264ca9 |
usb: dwc3: msm: Enforce usb_data_enabled by blocking role switches
Block USB enumeration from the get-go by blocking role switches away from USB_ROLE_NONE when usb_data_enabled is false. Change-Id: I0eff78e56e4a3b64262f220a085cfec5910baf30 Signed-off-by: Sultan Alsawaf <sultan@osomprivacy.com> |
||
|
Pavankumar Kondeti
|
c22c572f86 |
usb: dwc3: dwc3-msm-core: Reject incompatible role/mode request
If USB controller is configured to work in a specific mode, reject any compatible role/mode request. For example, if device mode is only allowed, switching to host mode/role is not allowed. The current code allows this and it results in accessing invalid dwc host structures. Change-Id: I5e4d905c8240ad228f48b40fe36298029d8770e1 Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com> |
||
|
Wesley Cheng
|
8f05d443e4 |
usb: dwc3: dwc3-msm: Save dr_mode from DWC3 core node into mdwc
To avoid dependencies for the DWC3 core device to be present during dwc3_msm_probe(), read out the dr_mode property from the DT node directly. Since this property can not dynamically change, it will be the same per compile time setting. Change-Id: I3b56bde13af141ea01f06ea5b81e44bc034bf7b1 Signed-off-by: Wesley Cheng <wcheng@codeaurora.org> |
||
|
Tommy Webb
|
5c0c40f028 |
Revert "usb: dwc3: Handle charging behavior when usb data is disabled"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
a85d92d704 |
Merge 5.4.289 into android11-5.4-lts
Changes in 5.4.289 net: sched: fix ordering of qlen adjustment usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled PCI/AER: Disable AER service on suspend ALSA: usb: Fix UBSAN warning in parse_audio_unit() PCI: Add ACS quirk for Broadcom BCM5760X NIC i2c: pnx: Fix timeout in wait functions drm/i915: Fix memory leak by correcting cache object name in error handler erofs: fix order >= MAX_ORDER warning due to crafted negative i_size erofs: fix incorrect symlink detection in fast symlink net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll ionic: use ee->offset when returning sprom data net: hinic: Fix cleanup in create_rxqs/txqs() net: ethernet: bgmac-platform: fix an OF node reference leak netfilter: ipset: Fix for recursive locking warning mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk chelsio/chtls: prevent potential integer overflow on 32bit i2c: riic: Always round-up when calculating bus period efivarfs: Fix error on non-existent file USB: serial: option: add TCL IK512 MBIM & ECM USB: serial: option: add MeiG Smart SLM770A USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready USB: serial: option: add MediaTek T7XX compositions USB: serial: option: add Telit FE910C04 rmnet compositions sh: clk: Fix clk_enable() to return 0 on NULL clk zram: refuse to use zero sized block device as backing device btrfs: tree-checker: reject inline extent items with 0 ref count NFS/pnfs: Fix a live lock between recalled layouts and layoutget of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() nilfs2: prevent use of deleted inode udmabuf: also check for F_SEAL_FUTURE_WRITE of: Fix error path in of_parse_phandle_with_args_map() of: Fix refcount leakage for OF node returned by __of_get_dma_parent() media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg bpf: Check negative offsets in __bpf_skb_min_len() nfsd: restore callback functionality for NFSv4.0 mtd: diskonchip: Cast an operand to prevent potential overflow phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_phy_destroy() fails to destroy the phy dmaengine: mv_xor: fix child node refcount handling in early exit dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset mtd: rawnand: fix double free in atmel_pmecc_create_user() tracing/kprobe: Make trace_kprobe's module callback called after jump_label update scsi: qla1280: Fix hw revision numbering for ISP1020/1040 scsi: megaraid_sas: Fix for a potential deadlock regmap: Use correct format specifier for logging range errors platform/x86: asus-nb-wmi: Ignore unknown event 0xCF scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time virtio-blk: don't keep queue frozen during system suspend epoll: Add synchronous wakeup support for ep_poll_callback MIPS: Probe toolchain support of -msym32 skbuff: introduce skb_expand_head() ipv6: use skb_expand_head in ip6_finish_output2 ipv6: use skb_expand_head in ip6_xmit ipv6: fix possible UAF in ip6_finish_output2() bpf: fix recursive lock when verdict program return SK_PASS tracing: Constify string literal data member in struct trace_event_call btrfs: avoid monopolizing a core when activating a swap file skb_expand_head() adjust skb->truesize incorrectly ipv6: prevent possible UAF in ip6_xmit() selinux: ignore unknown extended permissions Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet IB/mlx5: Introduce and use mlx5_core_is_vf() net/mlx5: Make API mlx5_core_is_ecpf accept const pointer RDMA/mlx5: Enforce same type port association for multiport RoCE RDMA/bnxt_re: Add check for path mtu in modify_qp RDMA/bnxt_re: Fix reporting hw_ver in query_device RDMA/bnxt_re: Fix max_qp_wrs reported drm: bridge: adv7511: Enable SPDIF DAI drm/bridge: adv7511_audio: Update Audio InfoFrame properly netrom: check buffer length before accessing it netfilter: Replace zero-length array with flexible-array member netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext net: llc: reset skb->transport_header ALSA: usb-audio: US16x08: Initialize array before use af_packet: fix vlan_get_tci() vs MSG_PEEK af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK ila: serialize calls to nf_register_net_hooks() wifi: mac80211: wake the queues in case of failure in resume sound: usb: format: don't warn that raw DSD is unsupported bpf: fix potential error return net: usb: qmi_wwan: add Telit FE910C04 compositions irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base ARC: build: Try to guess GCC variant of cross compiler modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host modpost: fix the missed iteration for the max bit in do_input() RDMA/uverbs: Prevent integer overflow issue pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking sky2: Add device ID 11ab:4373 for Marvell 88E8075 net/sctp: Prevent autoclose integer overflow in sctp_association_init() drm: adv7511: Drop dsi single lane support mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() ftrace: use preempt_enable/disable notrace macros to avoid double fault Linux 5.4.289 Change-Id: I2fe8ada5386224ce16b22d4e1eff016656be40f3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Daniele Palmas
|
a36572118c |
USB: serial: option: add Telit FE910C04 rmnet compositions
commit 8366e64a4454481339e7c56a8ad280161f2e441d upstream. Add the following Telit FE910C04 compositions: 0x10c0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c0 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c4: rmnet + tty (AT) + tty (AT) + tty (diag) T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c4 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c8: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c8 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas <dnlplm@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jack Wu
|
dfe21fb44e |
USB: serial: option: add MediaTek T7XX compositions
commit f07dfa6a1b65034a5c3ba3a555950d972f252757 upstream. Add the MediaTek T7XX compositions: T: Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 74 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=7129 Rev= 0.01 S: Manufacturer=MediaTek Inc. S: Product=USB DATA CARD S: SerialNumber=004402459035402 C:* #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms ------------------------------- | If Number | Function | ------------------------------- | 2 | USB AP Log Port | ------------------------------- | 3 | USB AP GNSS Port| ------------------------------- | 4 | USB AP META Port| ------------------------------- | 5 | ADB port | ------------------------------- | 6 | USB MD AT Port | ------------------------------ | 7 | USB MD META Port| ------------------------------- | 8 | USB NTZ Port | ------------------------------- | 9 | USB Debug port | ------------------------------- Signed-off-by: Jack Wu <wojackbb@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Mank Wang
|
e3374308d2 |
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
commit aa954ae08262bb5cd6ab18dd56a0b58c1315db8b upstream. LCUK54-WRD's pid/vid 0x3731/0x010a 0x3731/0x010c LCUK54-WWD's pid/vid 0x3731/0x010b 0x3731/0x010d Above products use the exact same interface layout and option driver: MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=3731 ProdID=0101 Rev= 5.04 S: Manufacturer=NetPrisma S: Product=LCUK54-WRD S: SerialNumber=feeba631 C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Mank Wang <mank.wang@netprisma.com> [ johan: use lower case hex notation ] Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Michal Hrusecky
|
dafbc0d826 |
USB: serial: option: add MeiG Smart SLM770A
commit 724d461e44dfc0815624d2a9792f2f2beb7ee46d upstream. Update the USB serial option driver to support MeiG Smart SLM770A. ID 2dee:4d57 Marvell Mobile Composite Device Bus T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2dee ProdID=4d57 Rev= 1.00 S: Manufacturer=Marvell S: Product=Mobile Composite Device Bus C:* #Ifs= 6 Cfg#= 1 Atr=c0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0e(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Tested successfully connecting to the Internet via rndis interface after dialing via AT commands on If#=3 or If#=4. Not sure of the purpose of the other serial interfaces. Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com> Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Swanemar
|
a678147a6b |
USB: serial: option: add TCL IK512 MBIM & ECM
commit fdad4fb7c506bea8b419f70ff2163d99962e8ede upstream. Add the following TCL IK512 compositions: 0x0530: Modem + Diag + AT + MBIM T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=10000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=1bbb ProdID=0530 Rev=05.04 S: Manufacturer=TCL S: Product=TCL 5G USB Dongle S: SerialNumber=3136b91a C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=896mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms 0x0640: ECM + Modem + Diag + AT T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 4 Spd=10000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=1bbb ProdID=0640 Rev=05.04 S: Manufacturer=TCL S: Product=TCL 5G USB Dongle S: SerialNumber=3136b91a C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=896mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms Signed-off-by: Daniel Swanemar <d.swanemar@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Peng Hongchi
|
f413230a1f |
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
[ Upstream commit 1134289b6b93d73721340b66c310fd985385e8fa ] When using dma_map_sg() to map the scatterlist with iommu enabled, the entries in the scatterlist can be mergerd into less but longer entries in the function __finalise_sg(). So that the number of valid mapped entries is actually smaller than ureq->num_reqs,and there are still some invalid entries in the scatterlist with dma_addr=0xffffffff and len=0. Writing these invalid sg entries into the dma_desc can cause a data transmission error. The function dma_map_sg() returns the number of valid map entries and the return value is assigned to usb_request::num_mapped_sgs in function usb_gadget_map_request_by_dev(). So that just write valid mapped entries into dma_desc according to the usb_request::num_mapped_sgs, and set the IOC bit if it's the last valid mapped entry. This patch poses no risk to no-iommu situation, cause ureq->num_mapped_sgs equals ureq->num_sgs while using dma_direct_map_sg() to map the scatterlist whith iommu disabled. Signed-off-by: Peng Hongchi <hongchi.peng@siengine.com> Link: https://lore.kernel.org/r/20240523100315.7226-1-hongchi.peng@siengine.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
QCTECMDR Service
|
6ea403acf3 | Merge "USB: dwc3: gadget: Add stop transfer request for isoc transfers" | ||
|
QCTECMDR Service
|
9d163aee48 | Merge "USB: dwc3: gadget: Queue data for 16 micro frames ahead in future" | ||
|
Greg Kroah-Hartman
|
4d8aad9b5e |
Merge 5.4.288 into android11-5.4-lts
Changes in 5.4.288 usb: host: max3421-hcd: Correctly abort a USB request. ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature usb: ehci-hcd: fix call balance of clocks handling routines usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer xfs: don't drop errno values when we fail to ficlone the entire range bpf, sockmap: Fix update element with same batman-adv: Do not send uninitialized TT changes batman-adv: Remove uninitialized data in full table TT response batman-adv: Do not let TT changes list grows indefinitely tipc: fix NULL deref in cleanup_bearer() net: lapb: increase LAPB_HEADER_LEN ACPI: resource: Fix memory resource type union access qca_spi: Fix clock speed for multiple QCA7000 qca_spi: Make driver probing reliable net/sched: netem: account for backlog updates from child qdisc ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired blk-iocost: clamp inuse and skip noops in __propagate_weights() blk-iocost: fix weight updates of inner active iocgs blk-iocost: Avoid using clamp() on inuse in __propagate_weights() KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe() xen/netfront: fix crash when removing device ALSA: usb-audio: Fix a DMA to stack memory bug Linux 5.4.288 Change-Id: Ie329f210978bae25fa2703d4106a3880bb9ba53c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
AKASH KUMAR
|
09c3ad5d25 |
USB: dwc3: gadget: Add stop transfer request for isoc transfers
Currently,stop transfer is done based on missed isoc packets which can cause issue when software list is empty with no missed isoc. Issue stop active transfers if started list is empty. Also,Frame_number is set from XferNotReady and may be already out of date. DSTS only provides the lower 14 bit of the current frame number. So add the upper two bits of frame_number and handle a possible rollover. This will provide the correct frame_number unless more than rollover has happened since XferNotReady. Increase TX fifo size for isochronous endpoint in case maxburst is greater than 6 for better performance. Added Endtransfer logic to be called when BUS expiry happens due to frame mismatch. Change-Id: I672529f4a4fa2740b46febbe265cd386e5932017 Signed-off-by: AKASH KUMAR <quic_akakum@quicinc.com> |
||
|
Lianqin Hu
|
4efdfdc32d |
usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer
commit 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b upstream.
Considering that in some extreme cases,
when u_serial driver is accessed by multiple threads,
Thread A is executing the open operation and calling the gs_open,
Thread B is executing the disconnect operation and calling the
gserial_disconnect function,The port->port_usb pointer will be set to NULL.
E.g.
Thread A Thread B
gs_open() gadget_unbind_driver()
gs_start_io() composite_disconnect()
gs_start_rx() gserial_disconnect()
... ...
spin_unlock(&port->port_lock)
status = usb_ep_queue() spin_lock(&port->port_lock)
spin_lock(&port->port_lock) port->port_usb = NULL
gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock)
Crash
This causes thread A to access a null pointer (port->port_usb is null)
when calling the gs_free_requests function, causing a crash.
If port_usb is NULL, the release request will be skipped as it
will be done by gserial_disconnect.
So add a null pointer check to gs_start_io before attempting
to access the value of the pointer port->port_usb.
Call trace:
gs_start_io+0x164/0x25c
gs_open+0x108/0x13c
tty_open+0x314/0x638
chrdev_open+0x1b8/0x258
do_dentry_open+0x2c4/0x700
vfs_open+0x2c/0x3c
path_openat+0xa64/0xc60
do_filp_open+0xb8/0x164
do_sys_openat2+0x84/0xf0
__arm64_sys_openat+0x70/0x9c
invoke_syscall+0x58/0x114
el0_svc_common+0x80/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x38/0x68
Fixes:
|
||
|
Vitalii Mordan
|
357219c16f |
usb: ehci-hcd: fix call balance of clocks handling routines
commit 97264eaaba0122a5b7e8ddd7bf4ff3ac57c2b170 upstream.
If the clocks priv->iclk and priv->fclk were not enabled in ehci_hcd_sh_probe,
they should not be disabled in any path.
Conversely, if they was enabled in ehci_hcd_sh_probe, they must be disabled
in all error paths to ensure proper cleanup.
Found by Linux Verification Center (linuxtesting.org) with Klever.
Fixes:
|
||
|
Stefan Wahren
|
2da6e4d35d |
usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature
commit a8d3e4a734599c7d0f6735f8db8a812e503395dd upstream.
On Rasperry Pis without onboard USB hub the power cycle during
power connect init only disable the port but never enabled it again:
usb usb1-port1: attempt power cycle
The port relevant part in dwc2_hcd_hub_control() is skipped in case
port_connect_status = 0 under the assumption the core is or will be soon
in device mode. But this assumption is wrong, because after ClearPortFeature
USB_PORT_FEAT_POWER the port_connect_status will also be 0 and
SetPortFeature (incl. USB_PORT_FEAT_POWER) will be a no-op.
Fix the behavior of dwc2_hcd_hub_control() by replacing the
port_connect_status check with dwc2_is_device_mode().
Link: https://github.com/raspberrypi/linux/issues/6247
Fixes:
|
||
|
Mark Tomlinson
|
d4b2afe2fa |
usb: host: max3421-hcd: Correctly abort a USB request.
commit 0d2ada05227881f3d0722ca2364e3f7a860a301f upstream.
If the current USB request was aborted, the spi thread would not respond
to any further requests. This is because the "curr_urb" pointer would
not become NULL, so no further requests would be taken off the queue.
The solution here is to set the "urb_done" flag, as this will cause the
correct handling of the URB. Also clear interrupts that should only be
expected if an URB is in progress.
Fixes:
|
||
|
Michael Bestas
|
0262d4e51f |
Merge tag 'ASB-2024-12-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-12-01 * tag 'ASB-2024-12-05_11-5.4' of https://android.googlesource.com/kernel/common: (552 commits) UPSTREAM: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT ANDROID: add file for recording allowed ABI breaks Revert "spi: Fix deadlock when adding SPI controllers on SPI buses" Revert "spi: fix use-after-free of the add_lock mutex" ANDROID: declare sp_in_global outside of CONFIG_FRAME_POINTER BACKPORT: RISC-V: Stop relying on GCC's register allocator's hueristics UPSTREAM: x86/percpu: Clean up percpu_add_op() UPSTREAM: x86/percpu: Clean up percpu_from_op() UPSTREAM: x86/percpu: Clean up percpu_to_op() UPSTREAM: x86/percpu: Introduce size abstraction macros BACKPORT: FROMGIT: binder: add delivered_freeze to debugfs output BACKPORT: FROMGIT: binder: fix memleak of proc->delivered_freeze FROMGIT: binder: allow freeze notification for dead nodes FROMGIT: binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs FROMGIT: binder: fix BINDER_WORK_FROZEN_BINDER debug logs BACKPORT: FROMGIT: binder: fix freeze UAF in binder_release_work() FROMGIT: binder: fix OOB in binder_add_freeze_work() FROMGIT: binder: fix node UAF in binder_add_freeze_work() Linux 5.4.286 mm: avoid leaving partial pfn mappings around in error case ... Conflicts: arch/arm64/boot/dts/vendor/bindings/gpu/samsung-rotator.txt arch/arm64/boot/dts/vendor/bindings/gpu/samsung-rotator.yaml drivers/clk/qcom/clk-rpmh.c drivers/usb/dwc3/core.c fs/erofs/decompressor.c net/qrtr/qrtr.c Change-Id: Iae3a7502b304d7be66da795411c4f330eef8b693 |
||
|
Greg Kroah-Hartman
|
ad8d63bdc6 |
Merge 5.4.287 into android11-5.4-lts
Changes in 5.4.287
netlink: terminate outstanding dump on socket close
net/mlx5: fs, lock FTE when checking if active
net/mlx5e: kTLS, Fix incorrect page refcounting
ocfs2: uncache inode which has failed entering the group
KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
ocfs2: fix UBSAN warning in ocfs2_verify_volume()
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
kbuild: Use uname for LINUX_COMPILE_HOST detection
mm: revert "mm: shmem: fix data-race in shmem_getattr()"
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
mac80211: fix user-power when emulating chanctx
selftests/watchdog-test: Fix system accidentally reset after watchdog-test
ALSA: hda/realtek: Add subwoofer quirk for Infinix ZERO BOOK 13
x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB
net: usb: qmi_wwan: add Quectel RG650V
soc: qcom: Add check devm_kasprintf() returned value
regulator: rk808: Add apply_bit for BUCK3 on RK809
ASoC: stm: Prevent potential division by zero in stm32_sai_mclk_round_rate()
ASoC: stm: Prevent potential division by zero in stm32_sai_get_clk_div()
proc/softirqs: replace seq_printf with seq_put_decimal_ull_width
ipmr: Fix access to mfc_cache_list without lock held
cifs: Fix buffer overflow when parsing NFS reparse points
NFSD: Force all NFSv4.2 COPY requests to be synchronous
nvme: fix metadata handling in nvme-passthrough
x86/xen/pvh: Annotate indirect branch as safe
mips: asm: fix warning when disabling MIPS_FP_SUPPORT
initramfs: avoid filename buffer overrun
nvme-pci: fix freeing of the HMB descriptor table
m68k: mvme147: Fix SCSI controller IRQ numbers
m68k: mvme16x: Add and use "mvme16x.h"
m68k: mvme147: Reinstate early console
acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()
s390/syscalls: Avoid creation of arch/arch/ directory
hfsplus: don't query the device logical block size multiple times
firmware: google: Unregister driver_info on failure and exit in gsmi
firmware: google: Unregister driver_info on failure
EDAC/bluefield: Fix potential integer overflow
EDAC/fsl_ddr: Fix bad bit shift operations
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
crypto: cavium - Fix the if condition to exit loop after timeout
crypto: bcm - add error check in the ahash_hmac_init function
crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
time: Fix references to _msecs_to_jiffies() handling of values
soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq()
soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
mmc: mmc_spi: drop buggy snprintf()
efi/tpm: Pass correct address to memblock_reserve
tpm: fix signed/unsigned bug when checking event logs
ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
regmap: irq: Set lockdep class for hierarchical IRQ domains
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
drm/omap: Fix locking in omap_gem_new_dmabuf()
wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq()
wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq()
drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq()
dt-bindings: vendor-prefixes: Add NeoFidelity, Inc
ASoC: fsl_micfil: Drop unnecessary register read
ASoC: fsl_micfil: do not define SHIFT/MASK for single bits
ASoC: fsl_micfil: use GENMASK to define register bit fields
ASoC: fsl_micfil: fix regmap_write_bits usage
bpf: Fix the xdp_adjust_tail sample prog issue
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
drm/panfrost: Remove unused id_mask from struct panfrost_model
drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq()
drm/etnaviv: dump: fix sparse warnings
drm/etnaviv: fix power register offset on GC300
drm/etnaviv: hold GPU lock across perfmon sampling
bpf, sockmap: Several fixes to bpf_msg_push_data
bpf, sockmap: Several fixes to bpf_msg_pop_data
bpf, sockmap: Fix sk_msg_reset_curr
selftests: net: really check for bg process completion
net: rfkill: gpio: Add check for clk_enable()
ALSA: us122l: Use snd_card_free_when_closed() at disconnection
ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
ALSA: 6fire: Release resources at card release
netpoll: Use rcu_access_pointer() in netpoll_poll_lock
trace/trace_event_perf: remove duplicate samples on the first tracepoint event
powerpc/vdso: Flag VDSO64 entry points as functions
mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race
mfd: da9052-spi: Change read-mask to write-mask
mfd: intel_soc_pmic_bxtwc: Use dev_err_probe()
mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device
mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device
mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices
cpufreq: loongson2: Unregister platform_driver on failure
mtd: rawnand: atmel: Fix possible memory leak
RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
mfd: rt5033: Fix missing regmap_del_irq_chip()
scsi: bfa: Fix use-after-free in bfad_im_module_exit()
scsi: fusion: Remove unused variable 'rc'
scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb()
scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
ocfs2: fix uninitialized value in ocfs2_file_read_iter()
powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
fbdev/sh7760fb: Alloc DMA memory from hardware device
fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format
dt-bindings: clock: axi-clkgen: include AXI clk
clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
clk: clk-axi-clkgen: make sure to enable the AXI bus clock
perf cs-etm: Don't flush when packet_queue fills up
perf probe: Correct demangled symbols in C++ program
PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
PCI: cpqphp: Fix PCIBIOS_* return value confusion
m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
m68k: coldfire/device.c: only build FEC when HW macros are defined
perf trace: Do not lose last events in a race
perf trace: Avoid garbage when not printing a syscall's arguments
rpmsg: glink: Add TX_DATA_CONT command while sending
rpmsg: glink: Send READ_NOTIFY command in FIFO full case
rpmsg: glink: Fix GLINK command prefix
rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
NFSD: Fix nfsd4_shutdown_copy()
vfio/pci: Properly hide first-in-list PCIe extended capability
power: supply: core: Remove might_sleep() from power_supply_put()
net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device
tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration
marvell: pxa168_eth: fix call balance of pep->clk handling routines
net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
ipmr: convert /proc handlers to rcu_read_lock()
ipmr: fix tables suspicious RCU usage
usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()
usb: yurex: make waiting on yurex_write interruptible
USB: chaoskey: fail open after removal
USB: chaoskey: Fix possible deadlock chaoskey_list_lock
misc: apds990x: Fix missing pm_runtime_disable()
staging: greybus: uart: clean up TIOCGSERIAL
apparmor: fix 'Do simple duplicate message elimination'
usb: ehci-spear: fix call balance of sehci clk handling routines
cgroup: Make operations on the cgroup root_list RCU safe
cgroup: Move rcu_head up near the top of cgroup_root
soc: qcom: socinfo: fix revision check in qcom_socinfo_probe()
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
ext4: fix FS_IOC_GETFSMAP handling
jfs: xattr: check invalid xattr size more strictly
ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()
PCI: Fix use-after-free of slot->bus on hot remove
comedi: Flush partial mappings in error case
tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler
Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()
Revert "usb: gadget: composite: fix OS descriptors w_value logic"
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit"
netfilter: ipset: add missing range check in bitmap_ip_uadt
spi: Fix acpi deferred irq probe
ubi: wl: Put source PEB into correct list if trying locking LEB failed
um: ubd: Do not use drvdata in release
um: net: Do not use drvdata in release
serial: 8250: omap: Move pm_runtime_get_sync
um: vector: Do not use drvdata in release
sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
block: fix ordering between checking BLK_MQ_S_STOPPED request adding
HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
media: wl128x: Fix atomicity violation in fmc_send_cmd()
ALSA: hda/realtek: Update ALC225 depop procedure
ALSA: hda/realtek: Set PCBeep to default value for ALC274
ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max
ALSA: hda/realtek: Apply quirk for Medion E15433
usb: dwc3: gadget: Fix checking for number of TRBs left
lib: string_helpers: silence snprintf() output truncation warning
NFSD: Prevent a potential integer overflow
SUNRPC: make sure cache entry active before cache_show
rpmsg: glink: Propagate TX failures in intentless mode as well
um: Fix potential integer overflow during physmem setup
um: Fix the return value of elf_core_copy_task_fpregs
um/sysrq: remove needless variable sp
um: add show_stack_loglvl()
um: Clean up stacktrace dump
um: Always dump trace for specified task in show_stack
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq()
rtc: abx80x: Fix WDT bit position of the status register
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
ubifs: Correct the total block count by deducting journal reservation
ubi: fastmap: Fix duplicate slab cache names while attaching
ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
jffs2: fix use of uninitialized variable
block: return unsigned int from bdev_io_min
9p/xen: fix init sequence
9p/xen: fix release of IRQ
rtc: ab-eoz9: don't fail temperature reads on undervoltage notification
modpost: remove incorrect code in do_eisa_entry()
SUNRPC: correct error code comment in xs_tcp_setup_socket()
SUNRPC: Replace internal use of SOCKWQ_ASYNC_NOSPACE
sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport
sh: intc: Fix use-after-free bug in register_intc_controller()
ASoC: fsl_micfil: fix the naming style for mask definition
quota: flush quota_release_work upon quota writeback
btrfs: ref-verify: fix use-after-free after invalid ref action
media: i2c: tc358743: Fix crash in the probe error path when using polling
media: ts2020: fix null-ptr-deref in ts2020_probe()
media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled
media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate()
media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()
ovl: Filter invalid inodes with missing lookup function
ftrace: Fix regression with module command in stack_trace_filter
clk: qcom: gcc-qcs404: fix initial rate of GPLL3
ad7780: fix division by zero in ad7780_write_raw()
util_macros.h: fix/rework find_closest() macros
i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()
dm thin: Add missing destroy_work_on_stack()
nfsd: make sure exp active before svc_export_show
nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur
drm/etnaviv: flush shader L1 cache after user commandstream
iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call
watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart()
can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL
can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics
ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()
netfilter: x_tables: fix LED ID check in led_tg_check()
net/sched: tbf: correct backlog statistic for GSO packets
can: j1939: j1939_session_new(): fix skb reference counting
net/ipv6: release expired exception dst cached in socket
dccp: Fix memory leak in dccp_feat_change_recv
tipc: add reference counter to bearer
tipc: enable creating a "preliminary" node
tipc: add new AEAD key structure for user API
tipc: Fix use-after-free of kernel socket in cleanup_bearer().
net/qed: allow old cards not supporting "num_images" to work
igb: Fix potential invalid memory access in igb_init_module()
netfilter: ipset: Hold module reference while requesting a module
netfilter: nft_set_hash: skip duplicated elements pending gc run
xen/xenbus: reference count registered modules
xenbus/backend: Add memory pressure handler callback
xenbus/backend: Protect xenbus callback with lock
xen/xenbus: fix locking
xen: Fix the issue of resource not being properly released in xenbus_dev_probe()
x86/asm: Reorder early variables
crypto: x86/aegis128 - access 32-bit arguments as 32-bit
gpio: grgpio: use a helper variable to store the address of ofdev->dev
gpio: grgpio: Add NULL check in grgpio_probe
drm/sti: Add __iomem for mixer_dbg_mxn's parameter
tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg
spi: mpc52xx: Add cancel_work_sync before module remove
ocfs2: free inode when ocfs2_get_init_inode() fails
bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie
bpf: Fix exact match conditions in trie_get_next_key()
HID: wacom: fix when get product name maybe null pointer
tracing: Fix cmp_entries_dup() to respect sort() comparison rules
ocfs2: update seq_file index in ocfs2_dlm_seq_next
scsi: qla2xxx: Fix NVMe and NPIV connect issue
scsi: qla2xxx: Supported speed displayed incorrectly for VPorts
scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt
nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()
bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again
dma-buf: fix dma_fence_array_signaled v4
regmap: detach regmap from dev on regmap_exit
mmc: core: Further prevent card detect during shutdown
s390/cpum_sf: Handle CPU hotplug remove during sampling
media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera
media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108
drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model
drm/mcde: Enable module autoloading
drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check()
samples/bpf: Fix a resource leak
net: fec_mpc52xx_phy: Use %pa to format resource_size_t
net: ethernet: fs_enet: Use %pa to format resource_size_t
net/sched: cbs: Fix integer overflow in cbs_set_port_rate()
af_packet: avoid erroring out after sock_init_data() in packet_create()
Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()
net: af_can: do not leave a dangling sk pointer in can_create()
net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()
net: inet: do not leave a dangling sk pointer in inet_create()
net: inet6: do not leave a dangling sk pointer in inet6_create()
wifi: ath5k: add PCI ID for SX76X
wifi: ath5k: add PCI ID for Arcadyan devices
jfs: array-index-out-of-bounds fix in dtReadFirst
jfs: fix shift-out-of-bounds in dbSplit
jfs: fix array-index-out-of-bounds in jfs_readdir
jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
drm/amdgpu: set the right AMDGPU sg segment limitation
wifi: ipw2x00: libipw_rx_any(): fix bad alignment
wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()
Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables
ASoC: hdmi-codec: reorder channel allocation list
rocker: fix link status detection in rocker_carrier_init()
net/neighbor: clear error in case strict check is not set
netpoll: Use rcu_access_pointer() in __netpoll_setup
tracing: Use atomic64_inc_return() in trace_clock_counter()
leds: class: Protect brightness_show() with led_cdev->led_access mutex
scsi: st: Don't modify unknown block number in MTIOCGET
scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset
pinctrl: qcom-pmic-gpio: add support for PM8937
nvdimm: rectify the illogical code within nd_dax_probe()
f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.
PCI: Add 'reset_subordinate' to reset hierarchy below bridge
PCI: Add ACS quirk for Wangxun FF5xxx NICs
i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock
usb: chipidea: udc: handle USB Error Interrupt if IOC not set
powerpc/prom_init: Fixup missing powermac #size-cells
misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle
xdp: Simplify devmap cleanup
bpf: fix OOB devmap writes when deleting elements
Revert "unicode: Don't special case ignorable code points"
perf/x86/intel/pt: Fix buffer full but size is 0 case
KVM: arm64: vgic-its: Add a data length check in vgic_its_save_*
KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device
KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE
jffs2: Prevent rtime decompress memory corruption
jffs2: Fix rtime decompressor
ocfs2: Revert "ocfs2: fix the la space leak when unmounting an ocfs2 volume"
modpost: Add .irqentry.text to OTHER_SECTIONS
Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()"
PCI: rockchip-ep: Fix address translation unit programming
ALSA: usb-audio: Fix out of bounds reads when finding clock sources
bpf, xdp: Update devmap comments to reflect napi/rcu usage
Linux 5.4.287
Change-Id: Ib48a7a0e01226c0f910efae2139893c6a139b9b5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Xu Yang
|
e99a36ed0c |
usb: chipidea: udc: handle USB Error Interrupt if IOC not set
[ Upstream commit 548f48b66c0c5d4b9795a55f304b7298cde2a025 ] As per USBSTS register description about UEI: When completion of a USB transaction results in an error condition, this bit is set by the Host/Device Controller. This bit is set along with the USBINT bit, if the TD on which the error interrupt occurred also had its interrupt on complete (IOC) bit set. UI is set only when IOC set. Add checking UEI to fix miss call isr_tr_complete_handler() when IOC have not set and transfer error happen. Acked-by: Peter Chen <peter.chen@kernel.com> Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Link: https://lore.kernel.org/r/20240926022906.473319-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Thinh Nguyen
|
a70316b52e |
usb: dwc3: gadget: Fix checking for number of TRBs left
commit 02a6982b0ccfcdc39e20016f5fc9a1b7826a6ee7 upstream. The check whether the TRB ring is full or empty in dwc3_calc_trbs_left() is insufficient. It assumes there are active TRBs if there's any request in the started_list. However, that's not the case for requests with a large SG list. That is, if we have a single usb request that requires more TRBs than the total TRBs in the TRB ring, the queued TRBs will be available when all the TRBs in the ring are completed. But the request is only partially completed and remains in the started_list. With the current logic, the TRB ring is empty, but dwc3_calc_trbs_left() returns 0. Fix this by additionally checking for the request->num_trbs for active TRB count. Cc: stable@vger.kernel.org Fixes: 51f1954ad853 ("usb: dwc3: gadget: Fix dwc3_calc_trbs_left()") Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/708dc62b56b77da1f704cc2ae9b6ddb1f2dbef1f.1731545781.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Michal Vrastil
|
eff104b29c |
Revert "usb: gadget: composite: fix OS descriptors w_value logic"
commit 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 upstream. This reverts commit ec6ce7075ef879b91a8710829016005dc8170f17. Fix installation of WinUSB driver using OS descriptors. Without the fix the drivers are not installed correctly and the property 'DeviceInterfaceGUID' is missing on host side. The original change was based on the assumption that the interface number is in the high byte of wValue but it is in the low byte, instead. Unfortunately, the fix is based on MS documentation which is also wrong. The actual USB request for OS descriptors (using USB analyzer) looks like: Offset 0 1 2 3 4 5 6 7 0x000 C1 A1 02 00 05 00 0A 00 C1: bmRequestType (device to host, vendor, interface) A1: nas magic number 0002: wValue (2: nas interface) 0005: wIndex (5: get extended property i.e. nas interface GUID) 008E: wLength (142) The fix was tested on Windows 10 and Windows 11. Cc: stable@vger.kernel.org Fixes: ec6ce7075ef8 ("usb: gadget: composite: fix OS descriptors w_value logic") Signed-off-by: Michal Vrastil <michal.vrastil@hidglobal.com> Signed-off-by: Elson Roy Serrao <quic_eserrao@quicinc.com> Acked-by: Peter korsgaard <peter@korsgaard.com> Link: https://lore.kernel.org/r/20241113235433.20244-1-quic_eserrao@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Vitalii Mordan
|
a35767ab80 |
usb: ehci-spear: fix call balance of sehci clk handling routines
commit 40c974826734836402abfd44efbf04f63a2cc1c1 upstream.
If the clock sehci->clk was not enabled in spear_ehci_hcd_drv_probe,
it should not be disabled in any path.
Conversely, if it was enabled in spear_ehci_hcd_drv_probe, it must be disabled
in all error paths to ensure proper cleanup.
Found by Linux Verification Center (linuxtesting.org) with Klever.
Fixes:
|
||
|
Edward Adam Davis
|
7aacc23608 |
USB: chaoskey: Fix possible deadlock chaoskey_list_lock
[ Upstream commit d73dc7b182be4238b75278bfae16afb4c5564a58 ] [Syzbot reported two possible deadlocks] The first possible deadlock is: WARNING: possible recursive locking detected 6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted -------------------------------------------- syz-executor363/2651 is trying to acquire lock: ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x15d/0x2c0 drivers/usb/misc/chaoskey.c:322 but task is already holding lock: ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x7f/0x2c0 drivers/usb/misc/chaoskey.c:299 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(chaoskey_list_lock); lock(chaoskey_list_lock); *** DEADLOCK *** The second possible deadlock is: WARNING: possible circular locking dependency detected 6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted ------------------------------------------------------ kworker/0:2/804 is trying to acquire lock: ffffffff899dadb0 (minor_rwsem){++++}-{3:3}, at: usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186 but task is already holding lock: ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_disconnect+0xa8/0x2a0 drivers/usb/misc/chaoskey.c:235 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (chaoskey_list_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752 chaoskey_open+0xdd/0x220 drivers/usb/misc/chaoskey.c:274 usb_open+0x186/0x220 drivers/usb/core/file.c:47 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6cb/0x1390 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (minor_rwsem){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x250b/0x3ce0 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825 down_write+0x93/0x200 kernel/locking/rwsem.c:1577 usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186 chaoskey_disconnect+0xb7/0x2a0 drivers/usb/misc/chaoskey.c:236 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3864 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(chaoskey_list_lock); lock(minor_rwsem); lock(chaoskey_list_lock); lock(minor_rwsem); *** DEADLOCK *** [Analysis] The first is AA lock, it because wrong logic, it need a unlock. The second is AB lock, it needs to rearrange the order of lock usage. Fixes: 422dc0a4d12d ("USB: chaoskey: fail open after removal") Reported-by: syzbot+685e14d04fe35692d3bc@syzkaller.appspotmail.com Reported-by: syzbot+1f8ca5ee82576ec01f12@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=685e14d04fe35692d3bc Signed-off-by: Edward Adam Davis <eadavis@qq.com> Tested-by: syzbot+685e14d04fe35692d3bc@syzkaller.appspotmail.com Reported-by: syzbot+5f1ce62e956b7b19610e@syzkaller.appspotmail.com Tested-by: syzbot+5f1ce62e956b7b19610e@syzkaller.appspotmail.com Tested-by: syzbot+1f8ca5ee82576ec01f12@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/tencent_84EB865C89862EC22EE94CB3A7C706C59206@qq.com Cc: Oliver Neukum <oneukum@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |