19 Jan, 2021
1 commit
-
This patch allows the administrator to configure the interface
name of a function using u_ether (e.g., eem, ncm, rndis).Currently, all such interfaces, regardless of function type, are
always called usb0, usb1, etc. This makes it very cumbersome to
use more than one such type at a time, because userspace cannnot
easily tell the interfaces apart and apply the right
configuration to each one. Interface renaming in userspace based
on driver doesn't help, because the interfaces all have the same
driver. Without this patch, doing this require hacks/workarounds
such as setting fixed MAC addresses on the functions, and then
renaming by MAC address, or scraping configfs after each
interface is created to find out what it is.Setting the interface name is done by writing to the same
"ifname" configfs attribute that reports the interface name after
the function is bound. The write must contain an interface
pattern such as "usb%d" (which will cause the net core to pick
the next available interface name starting with "usb").
This patch does not allow writing an exact interface name (as
opposed to a pattern) because if the interface already exists at
bind time, the bind will fail and the whole gadget will fail to
activate. This could be allowed in a future patch.For compatibility with current userspace, when reading an ifname
that has not currently been set, the result is still "(unnamed
net_device)". Once a write to ifname happens, then reading ifname
will return whatever was last written.Tested by configuring an rndis function and an ncm function on
the same gadget, and writing "rndis%d" to ifname on the rndis
function and "ncm%d" to ifname on the ncm function. When the
gadget was bound, the rndis interface was rndis0 and the ncm
interface was ncm0.Signed-off-by: Lorenzo Colitti
(cherry picked from commit 63d152149b2d0860ccf8c4e6596b6175b2b7ace6
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
Link: https://lore.kernel.org/r/20210113234222.3272933-1-lorenzo@google.com
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Lorenzo Colitti
Change-Id: I04deb6cc1d8a5b8ee82404940de2a79c06fbafe7
Signed-off-by: Greg Kroah-Hartman
13 Jan, 2021
11 commits
-
Changes in 5.10.7
i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs
iavf: fix double-release of rtnl_lock
net/sched: sch_taprio: ensure to reset/destroy all child qdiscs
net: mvpp2: Add TCAM entry to drop flow control pause frames
net: mvpp2: prs: fix PPPoE with ipv6 packet parse
net: systemport: set dev->max_mtu to UMAC_MAX_MTU_SIZE
ethernet: ucc_geth: fix use-after-free in ucc_geth_remove()
ethernet: ucc_geth: set dev->max_mtu to 1518
ionic: account for vlan tag len in rx buffer len
atm: idt77252: call pci_disable_device() on error path
net: mvpp2: Fix GoP port 3 Networking Complex Control configurations
net: stmmac: dwmac-meson8b: ignore the second clock input
ibmvnic: fix login buffer memory leak
ibmvnic: continue fatal error reset after passive init
net: ethernet: mvneta: Fix error handling in mvneta_probe
qede: fix offload for IPIP tunnel packets
virtio_net: Fix recursive call to cpus_read_lock()
net/ncsi: Use real net-device for response handler
net: ethernet: Fix memleak in ethoc_probe
net-sysfs: take the rtnl lock when storing xps_cpus
net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc
net-sysfs: take the rtnl lock when storing xps_rxqs
net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc
net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered
tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS
e1000e: Only run S0ix flows if shutdown succeeded
e1000e: bump up timeout to wait when ME un-configures ULP mode
Revert "e1000e: disable s0ix entry and exit flows for ME systems"
e1000e: Export S0ix flags to ethtool
bnxt_en: Check TQM rings for maximum supported value.
net: mvpp2: fix pkt coalescing int-threshold configuration
bnxt_en: Fix AER recovery.
ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst()
net: sched: prevent invalid Scell_log shift count
net: hns: fix return value check in __lb_other_process()
erspan: fix version 1 check in gre_parse_header()
net: hdlc_ppp: Fix issues when mod_timer is called while timer is running
bareudp: set NETIF_F_LLTX flag
bareudp: Fix use of incorrect min_headroom size
vhost_net: fix ubuf refcount incorrectly when sendmsg fails
r8169: work around power-saving bug on some chip versions
net: dsa: lantiq_gswip: Enable GSWIP_MII_CFG_EN also for internal PHYs
net: dsa: lantiq_gswip: Fix GSWIP_MII_CFG(p) register access
CDC-NCM: remove "connected" log message
ibmvnic: fix: NULL pointer dereference.
net: usb: qmi_wwan: add Quectel EM160R-GL
selftests: mlxsw: Set headroom size of correct port
stmmac: intel: Add PCI IDs for TGL-H platform
selftests/vm: fix building protection keys test
block: add debugfs stanza for QUEUE_FLAG_NOWAIT
workqueue: Kick a worker based on the actual activation of delayed works
scsi: ufs: Fix wrong print message in dev_err()
scsi: ufs-pci: Fix restore from S4 for Intel controllers
scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff()
scsi: ufs-pci: Fix recovery from hibernate exit errors for Intel controllers
scsi: ufs-pci: Enable UFSHCD_CAP_RPM_AUTOSUSPEND for Intel controllers
scsi: block: Introduce BLK_MQ_REQ_PM
scsi: ide: Do not set the RQF_PREEMPT flag for sense requests
scsi: ide: Mark power management requests with RQF_PM instead of RQF_PREEMPT
scsi: scsi_transport_spi: Set RQF_PM for domain validation commands
scsi: core: Only process PM requests if rpm_status != RPM_ACTIVE
local64.h: make mandatory
lib/genalloc: fix the overflow when size is too big
depmod: handle the case of /sbin/depmod without /sbin in PATH
scsi: ufs: Clear UAC for FFU and RPMB LUNs
kbuild: don't hardcode depmod path
Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close
scsi: block: Remove RQF_PREEMPT and BLK_MQ_REQ_PREEMPT
scsi: block: Do not accept any requests while suspended
crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
crypto: asym_tpm: correct zero out potential secrets
powerpc: Handle .text.{hot,unlikely}.* in linker script
Staging: comedi: Return -EFAULT if copy_to_user() fails
staging: mt7621-dma: Fix a resource leak in an error handling path
usb: gadget: enable super speed plus
USB: cdc-acm: blacklist another IR Droid device
USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
usb: typec: intel_pmc_mux: Configure HPD first for HPD+IRQ request
usb: dwc3: meson-g12a: disable clk on error handling path in probe
usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup
usb: dwc3: gadget: Clear wait flag on dequeue
usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion
usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one
usb: dwc3: ulpi: Fix USB2.0 HS/FS/LS PHY suspend regression
usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data()
USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set
usb: usbip: vhci_hcd: protect shift size
usb: uas: Add PNY USB Portable SSD to unusual_uas
USB: serial: iuu_phoenix: fix DMA from stack
USB: serial: option: add LongSung M5710 module support
USB: serial: option: add Quectel EM160R-GL
USB: yurex: fix control-URB timeout handling
USB: usblp: fix DMA to stack
ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks
usb: gadget: select CONFIG_CRC32
USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug
usb: gadget: f_uac2: reset wMaxPacketSize
usb: gadget: function: printer: Fix a memory leak for interface descriptor
usb: gadget: u_ether: Fix MTU size mismatch with RX packet size
USB: gadget: legacy: fix return error code in acm_ms_bind()
usb: gadget: Fix spinlock lockup on usb_function_deactivate
usb: gadget: configfs: Preserve function ordering after bind failure
usb: gadget: configfs: Fix use-after-free issue with udc_name
USB: serial: keyspan_pda: remove unused variable
hwmon: (amd_energy) fix allocation of hwmon_channel_info config
mm: make wait_on_page_writeback() wait for multiple pending writebacks
x86/mm: Fix leak of pmd ptlock
KVM: x86/mmu: Use -1 to flag an undefined spte in get_mmio_spte()
KVM: x86/mmu: Get root level from walkers when retrieving MMIO SPTE
kvm: check tlbs_dirty directly
KVM: x86/mmu: Ensure TDP MMU roots are freed after yield
x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR
x86/resctrl: Don't move a task to the same resource group
blk-iocost: fix NULL iocg deref from racing against initialization
ALSA: hda/via: Fix runtime PM for Clevo W35xSS
ALSA: hda/conexant: add a new hda codec CX11970
ALSA: hda/realtek - Fix speaker volume control on Lenovo C940
ALSA: hda/realtek: Add mute LED quirk for more HP laptops
ALSA: hda/realtek: Enable mute and micmute LED on HP EliteBook 850 G7
ALSA: hda/realtek: Add two "Intel Reference board" SSID in the ALC256.
iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev
btrfs: qgroup: don't try to wait flushing if we're already holding a transaction
btrfs: send: fix wrong file path when there is an inode with a pending rmdir
Revert "device property: Keep secondary firmware node secondary by type"
dmabuf: fix use-after-free of dmabuf's file->f_inode
arm64: link with -z norelro for LLD or aarch64-elf
drm/i915: clear the shadow batch
drm/i915: clear the gpu reloc batch
bcache: fix typo from SUUP to SUPP in features.h
bcache: check unsupported feature sets for bcache register
bcache: introduce BCH_FEATURE_INCOMPAT_LOG_LARGE_BUCKET_SIZE for large bucket
net/mlx5e: Fix SWP offsets when vlan inserted by driver
ARM: dts: OMAP3: disable AES on N950/N9
netfilter: x_tables: Update remaining dereference to RCU
netfilter: ipset: fix shift-out-of-bounds in htable_bits()
netfilter: xt_RATEEST: reject non-null terminated string from userspace
netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
dmaengine: idxd: off by one in cleanup code
x86/mtrr: Correct the range check before performing MTRR type lookups
KVM: x86: fix shift out of bounds reported by UBSAN
xsk: Fix memory leak for failed bind
rtlwifi: rise completion at the last step of firmware callback
scsi: target: Fix XCOPY NAA identifier lookup
Linux 5.10.7Signed-off-by: Greg Kroah-Hartman
Change-Id: I1a7c195af35831fe362b027fe013c0c7e4dc20ea -
commit 64e6bbfff52db4bf6785fab9cffab850b2de6870 upstream.
There is a use-after-free issue, if access udc_name
in function gadget_dev_desc_UDC_store after another context
free udc_name in function unregister_gadget.Context 1:
gadget_dev_desc_UDC_store()->unregister_gadget()->
free udc_name->set udc_name to NULLContext 2:
gadget_dev_desc_UDC_show()-> access udc_nameCall trace:
dump_backtrace+0x0/0x340
show_stack+0x14/0x1c
dump_stack+0xe4/0x134
print_address_description+0x78/0x478
__kasan_report+0x270/0x2ec
kasan_report+0x10/0x18
__asan_report_load1_noabort+0x18/0x20
string+0xf4/0x138
vsnprintf+0x428/0x14d0
sprintf+0xe4/0x12c
gadget_dev_desc_UDC_show+0x54/0x64
configfs_read_file+0x210/0x3a0
__vfs_read+0xf0/0x49c
vfs_read+0x130/0x2b4
SyS_read+0x114/0x208
el0_svc_naked+0x34/0x38Add mutex_lock to protect this kind of scenario.
Signed-off-by: Eddie Hung
Signed-off-by: Macpaul Lin
Reviewed-by: Peter Chen
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.com
Signed-off-by: Greg Kroah-Hartman -
commit 6cd0fe91387917be48e91385a572a69dfac2f3f7 upstream.
When binding the ConfigFS gadget to a UDC, the functions in each
configuration are added in list order. However, if usb_add_function()
fails, the failed function is put back on its configuration's
func_list and purge_configs_funcs() is called to further clean up.purge_configs_funcs() iterates over the configurations and functions
in forward order, calling unbind() on each of the previously added
functions. But after doing so, each function gets moved to the
tail of the configuration's func_list. This results in reshuffling
the original order of the functions within a configuration such
that the failed function now appears first even though it may have
originally appeared in the middle or even end of the list. At this
point if the ConfigFS gadget is attempted to re-bind to the UDC,
the functions will be added in a different order than intended,
with the only recourse being to remove and relink the functions all
over again.An example of this as follows:
ln -s functions/mass_storage.0 configs/c.1
ln -s functions/ncm.0 configs/c.1
ln -s functions/ffs.adb configs/c.1 # oops, forgot to start adbd
echo "" > UDC # fails
start adbd
echo "" > UDC # now succeeds, but...
# bind order is
# "ADB", mass_storage, ncm[30133.118289] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520
[30133.119875] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520
[30133.119974] using random self ethernet address
[30133.120002] using random host ethernet address
[30133.139604] usb0: HOST MAC 3e:27:46:ba:3e:26
[30133.140015] usb0: MAC 6e:28:7e:42:66:6a
[30133.140062] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520
[30133.140081] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 --> -19
[30133.140098] configfs-gadget gadget: unbind function 'Mass Storage Function'/ffffff810af87200
[30133.140119] configfs-gadget gadget: unbind function 'cdc_network'/ffffff80f48d1a00
[30133.173201] configfs-gadget a600000.dwc3: failed to start g1: -19
[30136.661933] init: starting service 'adbd'...
[30136.700126] read descriptors
[30136.700413] read strings
[30138.574484] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520
[30138.575497] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520
[30138.575554] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520
[30138.575631] using random self ethernet address
[30138.575660] using random host ethernet address
[30138.595338] usb0: HOST MAC 2e:cf:43:cd:ca:c8
[30138.597160] usb0: MAC 6a:f0:9f:ee:82:a0
[30138.791490] configfs-gadget gadget: super-speed config #1: cFix this by reversing the iteration order of the functions in
purge_config_funcs() when unbinding them, and adding them back to
the config's func_list at the head instead of the tail. This
ensures that we unbind and unwind back to the original list order.Fixes: 88af8bbe4ef7 ("usb: gadget: the start of the configfs interface")
Signed-off-by: Chandana Kishori Chiluveru
Signed-off-by: Jack Pham
Reviewed-by: Peter Chen
Link: https://lore.kernel.org/r/20201229224443.31623-1-jackp@codeaurora.org
Cc: stable
Signed-off-by: Greg Kroah-Hartman -
commit 5cc35c224a80aa5a5a539510ef049faf0d6ed181 upstream.
There is a spinlock lockup as part of composite_disconnect
when it tries to acquire cdev->lock as part of usb_gadget_deactivate.
This is because the usb_gadget_deactivate is called from
usb_function_deactivate with the same spinlock held.This would result in the below call stack and leads to stall.
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 3-...0: (1 GPs behind) idle=162/1/0x4000000000000000
softirq=10819/10819 fqs=2356
(detected by 2, t=5252 jiffies, g=20129, q=3770)
Task dump for CPU 3:
task:uvc-gadget_wlhe state:R running task stack: 0 pid: 674 ppid:
636 flags:0x00000202
Call trace:
__switch_to+0xc0/0x170
_raw_spin_lock_irqsave+0x84/0xb0
composite_disconnect+0x28/0x78
configfs_composite_disconnect+0x68/0x70
usb_gadget_disconnect+0x10c/0x128
usb_gadget_deactivate+0xd4/0x108
usb_function_deactivate+0x6c/0x80
uvc_function_disconnect+0x20/0x58
uvc_v4l2_release+0x30/0x88
v4l2_release+0xbc/0xf0
__fput+0x7c/0x230
____fput+0x14/0x20
task_work_run+0x88/0x140
do_notify_resume+0x240/0x6f0
work_pending+0x8/0x200Fix this by doing an unlock on cdev->lock before the usb_gadget_deactivate
call from usb_function_deactivate.The same lockup can happen in the usb_gadget_activate path. Fix that path
as well.Reported-by: Peter Chen
Link: https://lore.kernel.org/linux-usb/20201102094936.GA29581@b29397-desktop/
Tested-by: Peter Chen
Signed-off-by: Sriharsha Allenki
Cc: stable
Link: https://lore.kernel.org/r/20201202130220.24926-1-sallenki@codeaurora.org
Signed-off-by: Greg Kroah-Hartman -
commit c91d3a6bcaa031f551ba29a496a8027b31289464 upstream.
If usb_otg_descriptor_alloc() failed, it need return ENOMEM.
Fixes: 578aa8a2b12c ("usb: gadget: acm_ms: allocate and init otg descriptor by otg capabilities")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
Cc: stable
Link: https://lore.kernel.org/r/20201117092955.4102785-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman -
commit 0a88fa221ce911c331bf700d2214c5b2f77414d3 upstream.
Fix the MTU size issue with RX packet size as the host sends the packet
with extra bytes containing ethernet header. This causes failure when
user sets the MTU size to the maximum i.e. 15412. In this case the
ethernet packet received will be of length 15412 plus the ethernet header
length. This patch fixes the issue where there is a check that RX packet
length must not be more than max packet length.Fixes: bba787a860fa ("usb: gadget: ether: Allow jumbo frames")
Signed-off-by: Manish Narani
Cc: stable
Link: https://lore.kernel.org/r/1605597215-122027-1-git-send-email-manish.narani@xilinx.com
Signed-off-by: Greg Kroah-Hartman -
commit 2cc332e4ee4febcbb685e2962ad323fe4b3b750a upstream.
When printer driver is loaded, the printer_func_bind function is called, in
this function, the interface descriptor be allocated memory, if after that,
the error occurred, the interface descriptor memory need to be free.Reviewed-by: Peter Chen
Cc:
Signed-off-by: Zqiang
Link: https://lore.kernel.org/r/20201210020148.6691-1-qiang.zhang@windriver.com
Signed-off-by: Greg Kroah-Hartman -
commit 9389044f27081d6ec77730c36d5bf9a1288bcda2 upstream.
With commit 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth")
wMaxPacketSize is computed dynamically but the value is never reset.Because of this, the actual maximum packet size can only decrease each time
the audio gadget is instantiated.Reset the endpoint maximum packet size and mark wMaxPacketSize as dynamic
to solve the problem.Fixes: 913e4a90b6f9 ("usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth")
Signed-off-by: Jerome Brunet
Cc: stable
Link: https://lore.kernel.org/r/20201221173531.215169-2-jbrunet@baylibre.com
Signed-off-by: Greg Kroah-Hartman -
commit c318840fb2a42ce25febc95c4c19357acf1ae5ca upstream.
The dummy-hcd driver was written under the assumption that all the
parameters in URBs sent to its root hub would be valid. With URBs
sent from userspace via usbfs, that assumption can be violated.In particular, the driver doesn't fully check the port-feature values
stored in the wValue entry of Clear-Port-Feature and Set-Port-Feature
requests. Values that are too large can cause the driver to perform
an invalid left shift of more than 32 bits. Ironically, two of those
left shifts are unnecessary, because they implement Set-Port-Feature
requests that hubs are not required to support, according to section
11.24.2.13 of the USB-2.0 spec.This patch adds the appropriate checks for the port feature selector
values and removes the unnecessary feature settings. It also rejects
requests to set the TEST feature or to set or clear the INDICATOR and
C_OVERCURRENT features, as none of these are relevant to dummy-hcd's
root-hub emulation.CC:
Reported-and-tested-by: syzbot+5925509f78293baa7331@syzkaller.appspotmail.com
Signed-off-by: Alan Stern
Link: https://lore.kernel.org/r/20201230162044.GA727759@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman -
commit d7889c2020e08caab0d7e36e947f642d91015bd0 upstream.
Without crc32 support, this driver fails to link:
arm-linux-gnueabi-ld: drivers/usb/gadget/function/f_eem.o: in function `eem_unwrap':
f_eem.c:(.text+0x11cc): undefined reference to `crc32_le'
arm-linux-gnueabi-ld: drivers/usb/gadget/function/f_ncm.o:f_ncm.c:(.text+0x1e40):
more undefined references to `crc32_le' followFixes: 6d3865f9d41f ("usb: gadget: NCM: Add transmit multi-frame.")
Signed-off-by: Arnd Bergmann
Cc: stable
Link: https://lore.kernel.org/r/20210103214224.1996535-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman -
commit e2459108b5a0604c4b472cae2b3cb8d3444c77fb upstream.
Enable Super speed plus in configfs to support USB3.1 Gen2.
This ensures that when a USB gadget is plugged in, it is
enumerated as Gen 2 and connected at 10 Gbps if the host and
cable are capable of it.Many in-tree gadget functions (fs, midi, acm, ncm, mass_storage,
etc.) already have SuperSpeed Plus support.Tested: plugged gadget into Linux host and saw:
[284907.385986] usb 8-2: new SuperSpeedPlus Gen 2 USB device number 3 using xhci_hcdTested-by: Lorenzo Colitti
Acked-by: Felipe Balbi
Signed-off-by: taehyun.cho
Signed-off-by: Lorenzo Colitti
Link: https://lore.kernel.org/r/20210106154625.2801030-1-lorenzo@google.com
Cc: stable
Signed-off-by: Greg Kroah-Hartman
30 Dec, 2020
10 commits
-
If get_acc_dev() fails to obtain a reference to the current device,
acc_disconnect() will attempt to put_acc_dev() with the resulting NULL
pointer, leading to a crash:| Unable to handle kernel NULL pointer dereference at virtual address 00000074
| [...]
| [] (acc_disconnect) from [] (android_disconnect+0x1c/0x7c)
| [] (android_disconnect) from [] (usb_gadget_udc_reset+0x10/0x34)
| [] (usb_gadget_udc_reset) from [] (dwc3_gadget_reset_interrupt+0x88/0x4fc)
| [] (dwc3_gadget_reset_interrupt) from [] (dwc3_process_event_buf+0x60/0x3e4)
| [] (dwc3_process_event_buf) from [] (dwc3_thread_interrupt+0x24/0x3c)
| [] (dwc3_thread_interrupt) from [] (irq_thread_fn+0x1c/0x58)
| [] (irq_thread_fn) from [] (irq_thread+0x1ec/0x2f4)
| [] (irq_thread) from [] (kthread+0x1a8/0x1ac)
| [] (kthread) from [] (ret_from_fork+0x14/0x3c)Follow the pattern used elsewhere, and return early if we fail to obtain
a reference.Bug: 173789633
Reported-by: YongQin Liu
Signed-off-by: Will Deacon
Change-Id: I37a2bff5bc1b6b8269788d08191181763bf0e896
Signed-off-by: Giuliano Procida -
Using bitfields for shared variables is a "bad idea", as they require
a non-atomic read-modify-write to be generated by the compiler, which can
cause updates to unrelated bits in the same word to disappear.Ensure the 'online' and 'disconnected' members of 'struct acc_dev' are
placed in separate variables by declaring them each as 'int'.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: Ia6031d82a764e83b2cc3502fbe5fb273511da752
Signed-off-by: Giuliano Procida -
Tearing down and freeing the 'acc_dev' structure when there is
potentially asynchronous work queued involving its member fields is
likely to lead to use-after-free issues.Cancel any pending work before freeing the structure.
Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: I68a91274aea18034637b738d558d043ac74fadf4
Signed-off-by: Giuliano Procida -
If acc_setup() is called when there is already an allocated instance,
misc_register() will fail but the error path leaves a dangling pointer
to freed memory in the global 'acc_dev' state.Fix this by ensuring that the refcount is zero before we start, and then
using a cmpxchg() from NULL to serialise any concurrent initialisers.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: I2c26289dcce7dbc493964516c49b05d04aaa6839
Signed-off-by: Giuliano Procida -
acc_release() attempts to synchronise with acc_open() using an atomic
'open_excl' member in 'struct acc_dev'. Unfortunately, acc_release()
prematurely resets this atomic variable to zero, meaning there is a
potential race on 'dev->disconnected':acc_open() acc_release()
atomic_xchg(open_excl), 0)
atomic_xchg(open_excl, 1)
dev->disconnected = 0; dev->disconnected = 1;Fix the race by ensuring that the 'disconnected' field is written
before clearing 'open_excl' in acc_release().Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: Ib9a21f2305f6d70de3e760da62dbfdd66889200a
Signed-off-by: Giuliano Procida -
Add refcounting to track the lifetime of the global 'acc_dev' structure,
as the underlying function directories can be removed while references
still exist to the dev node.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: I248408e890d01167706c329146d63b64a6456df6
Signed-off-by: Giuliano Procida -
The '_acc_dev' global variable is a fancy use-after-free factory. Wrap
it in some get()/put() functions in preparation for introducing some
refcounting.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: I4c839627648c209341a81efa0c001c8d71b878d4
Signed-off-by: Giuliano Procida -
acc_alloc_inst() assigns to a local 'dev' variable, but then never uses
it. Remove the redundant assignment, and the local variable along with
it.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: Ide9c2e89fb12b846eb8739b302d1b742fc7eb6b5
Signed-off-by: Giuliano Procida -
Remove some useless print statements, as they can trivially be used to
spam the console and don't report anything meaningful.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: I28052010fc3ec033a2c99efeb3f6c919d54d75c2
Signed-off-by: Giuliano Procida -
Neither acc_gadget_bind() nor acc_gadget_register_driver() exist, so
remove the stale comments that refer to them.Bug: 173789633
Signed-off-by: Will Deacon
Change-Id: If396ba3bcac3ca59c48e5a5faa0a8520534ed625
Signed-off-by: Giuliano Procida
27 Dec, 2020
2 commits
-
The merge of 5.10.3 into android12-5.10 caused a build issue in the
f_fs.c file due to an upstream patch being accepted that was a bit
different from what was applied to the tree earlier.Fixes: 499df25c94d7 ("Merge 5.10.3 into android12-5.10")
Signed-off-by: Greg Kroah-Hartman
Change-Id: I41a8809038e7638697955f82609bcb3aea0293fa -
Changes in 5.10.3
net: ipconfig: Avoid spurious blank lines in boot log
x86/split-lock: Avoid returning with interrupts enabled
exfat: Avoid allocating upcase table using kcalloc()
soc/tegra: fuse: Fix index bug in get_process_id
usb: mtu3: fix memory corruption in mtu3_debugfs_regset()
USB: serial: option: add interface-number sanity check to flag handling
USB: gadget: f_acm: add support for SuperSpeed Plus
USB: gadget: f_midi: setup SuperSpeed Plus descriptors
usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus
USB: gadget: f_rndis: fix bitrate for SuperSpeed and above
usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul
ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU
ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410
ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU
coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf()
coresight: tmc-etr: Check if page is valid before dma_map_page()
coresight: tmc-etr: Fix barrier packet insertion for perf buffer
coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()
coresight: etm4x: Skip setting LPOVERRIDE bit for qcom, skip-power-up
coresight: etm4x: Fix accesses to TRCVMIDCTLR1
coresight: etm4x: Fix accesses to TRCCIDCTLR1
coresight: etm4x: Fix accesses to TRCPROCSELR
coresight: etm4x: Handle TRCVIPCSSCTLR accesses
f2fs: fix to seek incorrect data offset in inline data file
f2fs: init dirty_secmap incorrectly
scsi: megaraid_sas: Check user-provided offsets
HID: i2c-hid: add Vero K147 to descriptor override
serial_core: Check for port state when tty is in error state
fscrypt: remove kernel-internal constants from UAPI header
fscrypt: add fscrypt_is_nokey_name()
ubifs: prevent creating duplicate encrypted filenames
ext4: prevent creating duplicate encrypted filenames
f2fs: prevent creating duplicate encrypted filenames
Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
quota: Sanity-check quota file headers on load
fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode()
media: msi2500: assign SPI bus number dynamically
crypto: af_alg - avoid undefined behavior accessing salg_name
nl80211: validate key indexes for cfg80211_registered_device
md: fix a warning caused by a race between concurrent md_ioctl()s
Linux 5.10.3Signed-off-by: Greg Kroah-Hartman
Change-Id: Ia12e3bc535549040a55f8dfb70921d99882e79f5
26 Dec, 2020
4 commits
-
commit b00f444f9add39b64d1943fa75538a1ebd54a290 upstream.
Align the SuperSpeed Plus bitrate for f_rndis to match f_ncm's ncm_bitrate
defined by commit 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors
for CDC NCM").Cc: Felipe Balbi
Cc: EJ Hsu
Cc: Peter Chen
Cc: stable
Signed-off-by: Will McVicker
Reviewed-by: Peter Chen
Link: https://lore.kernel.org/r/20201127140559.381351-2-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman -
commit a353397b0d5dfa3c99b372505db3378fc919c6c6 upstream.
In many cases a function that supports SuperSpeed can very well
operate in SuperSpeedPlus, if a gadget controller supports it,
as the endpoint descriptors (and companion descriptors) are
generally identical and can be re-used. This is true for two
commonly used functions: Android's ADB and MTP. So we can simply
assign the usb_function's ssp_descriptors array to point to its
ss_descriptors, if available. Similarly, we need to allow an
epfile's ioctl for FUNCTIONFS_ENDPOINT_DESC to correctly
return the corresponding SuperSpeed endpoint descriptor in case
the connected speed is SuperSpeedPlus as well.The only exception is if a function wants to implement an
Isochronous endpoint capable of transferring more than 48KB per
service interval when operating at greater than USB 3.1 Gen1
speed, in which case it would require an additional SuperSpeedPlus
Isochronous Endpoint Companion descriptor to be returned as part
of the Configuration Descriptor. Support for that would need
to be separately added to the userspace-facing FunctionFS API
which may not be a trivial task--likely a new descriptor format
(v3?) may need to be devised to allow for separate SS and SSP
descriptors to be supplied.Signed-off-by: Jack Pham
Cc: stable
Link: https://lore.kernel.org/r/20201027230731.9073-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman -
commit 457a902ba1a73b7720666b21ca038cd19764db18 upstream.
Needed for SuperSpeed Plus support for f_midi. This allows the
gadget to work properly without crashing at SuperSpeed rates.Cc: Felipe Balbi
Cc: stable
Signed-off-by: Will McVicker
Reviewed-by: Peter Chen
Link: https://lore.kernel.org/r/20201127140559.381351-4-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman -
commit 3ee05c20656782387aa9eb010fdb9bb16982ac3f upstream.
Setup the SuperSpeed Plus descriptors for f_acm. This allows the gadget
to work properly without crashing at SuperSpeed rates.Cc: Felipe Balbi
Cc: stable
Signed-off-by: taehyun.cho
Signed-off-by: Will McVicker
Reviewed-by: Peter Chen
Link: https://lore.kernel.org/r/20201127140559.381351-3-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman
23 Dec, 2020
1 commit
-
f_accessory: fix CTS test stuck since CTS 9.0.
- Refine acc_read() process.The data length that user (test program) wants to read is different
from they really requested. This will cause the test flow stuck on the
2nd or the 3rd transfers in accessory test.
(By connecting 2 phones with CtsVerifier.apk and
CtsVerifierUSBCompanion.apk installed.)Bug: 174729307
Change-Id: I5367c8075ed37534e8bed94b60cc79135ae5aebc
Signed-off-by: Macpaul Lin
21 Dec, 2020
2 commits
-
Changes in 5.10.2
ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info()
ktest.pl: If size of log is too big to email, email error message
ktest.pl: Fix the logic for truncating the size of the log file for email
USB: legotower: fix logical error in recent commit
USB: dummy-hcd: Fix uninitialized array use in init()
USB: add RESET_RESUME quirk for Snapscan 1212
ALSA: usb-audio: Fix potential out-of-bounds shift
ALSA: usb-audio: Fix control 'access overflow' errors from chmap
xhci: Give USB2 ports time to enter U3 in bus suspend
usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK
xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP
xhci-pci: Allow host runtime PM as default for Intel Maple Ridge xHCI
USB: UAS: introduce a quirk to set no_write_same
USB: sisusbvga: Make console support depend on BROKEN
ALSA: pcm: oss: Fix potential out-of-bounds shift
serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access
Linux 5.10.2Signed-off-by: Greg Kroah-Hartman
Change-Id: I0dfd41a3ba5b102699ef78641fbe48ed16957a0f -
commit e90cfa813da7a527785033a0b247594c2de93dd8 upstream.
This error path
err_add_pdata:
for (i = 0; i < mod_data.num; i++)
kfree(dum[i]);can be triggered when not all dum's elements are initialized.
Fix this by initializing all dum's elements to NULL.
Acked-by: Alan Stern
Cc: stable
Signed-off-by: Bui Quang Minh
Link: https://lore.kernel.org/r/1607063090-3426-1-git-send-email-minhquangbui99@gmail.com
Signed-off-by: Greg Kroah-Hartman
09 Dec, 2020
1 commit
-
Linux 5.10-rc7
Signed-off-by: Greg Kroah-Hartman
Change-Id: Ie61b3510311a825ee57bee12610e25bc1500b350
04 Dec, 2020
1 commit
-
The function may be unbound causing the ffs_ep and its descriptors
to be freed while userspace is in the middle of an ioctl requesting
the same descriptors. Avoid dangling pointer reference by first
making a local copy of desctiptors before releasing the spinlock.Fixes: c559a3534109 ("usb: gadget: f_fs: add ioctl returning ep descriptor")
Reviewed-by: Peter Chen
Signed-off-by: Vamsi Krishna Samavedam
Signed-off-by: Jack Pham
Cc: stable
Link: https://lore.kernel.org/r/20201130203453.28154-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman
02 Dec, 2020
1 commit
-
Currently f_midi function driver is marking the f_midi->card
NULL when the card is unregistered. There is a possibility that
alsa_show is called after the card is unregistered which can lead
to page fault since midi->card is assigned to rmidi->card. Avoid
this by adding midi->card pointer check in alsa_show.Fixes: 14948a5ac30e ("ANDROID: usb: gadget: f_midi: create F_midi device")
Change-Id: I24fd35fb9cd35fcd5d8698b808459310b09675f9
Signed-off-by: Pratham Pratap
Signed-off-by: Jack Pham
30 Nov, 2020
1 commit
-
…g/pub/scm/linux/kernel/git/riscv/linux") into android-mainline
Steps on the way to 5.10-rc6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I943a0442970ab0d96792b62331608cfa0fc831aa
27 Nov, 2020
5 commits
-
Adds the necessary SuperSpeed Plus support for f_accessory.
[Not upstream as this file is not upstream.]
Bug: 170925797
Signed-off-by: taehyun.cho
Change-Id: Ia2a5f4a6cefac2418f8f29bf1a56355b96d80fc0
(cherry picked from commit 00572be28ec474d7953f1b9dd681cc2dd290d9bf)
[willmcvicker: only cherry-pick f_accessory from original patch]
Signed-off-by: Will McVicker
(cherry picked from commit 4d7ced0819d3f30acbde46991393249049cefa05)
Signed-off-by: Will McVicker
Signed-off-by: Greg Kroah-Hartman -
Align the SuperSpeed Plus bitrate for f_rndis to match f_ncm's ncm_bitrate
defined by commit 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors
for CDC NCM").Bug: 170925797
Link: https://lore.kernel.org/r/20201126180937.255892-1-gregkh@linuxfoundation.org
Signed-off-by: Will McVicker
Change-Id: If5bfe9d4b266e1bf3a0016950219a57c7d0aedca
(cherry picked from commit 68caaaea9f259554680175a7f39374338179d7db)
Signed-off-by: Will McVicker
Signed-off-by: Greg Kroah-Hartman -
Needed for SuperSpeed Plus support for f_midi.
Bug: 170925797
Link: https://lore.kernel.org/r/20201126180937.255892-4-gregkh@linuxfoundation.org
Signed-off-by: Will McVicker
Change-Id: Ie16ddcb97555f4e7ef762b719ea3f7c2a251eb43
(cherry picked from commit 2746f5ffbf7a1d4ce6a933b75cf1eb4fdf7744c0)
Signed-off-by: Will McVicker
Signed-off-by: Greg Kroah-Hartman -
Setup the descriptors for SuperSpeed Plus for f_fs.
Bug: 170925797
Signed-off-by: taehyun.cho
Link: https://lore.kernel.org/r/20201126180937.255892-3-gregkh@linuxfoundation.org
Change-Id: I261bc3fb6f586b81d2233f60a6fe0a5f250b437b
(cherry picked from commit 00572be28ec474d7953f1b9dd681cc2dd290d9bf)
[willmcvicker: only cherry-picked f_fs portion of original patch]
Signed-off-by: Will McVicker
(cherry picked from commit fc5d4d05b09dcc3d74c77ee6dd3fe5d451364a3b)
Signed-off-by: Will McVicker
Signed-off-by: Greg Kroah-Hartman -
Setup the SuperSpeed Plus descriptors for f_acm.
Bug: 170925797
Signed-off-by: taehyun.cho
Link: https://lore.kernel.org/r/20201126180937.255892-2-gregkh@linuxfoundation.org
Change-Id: I40379059d4426a523912b1514a5e5f7575576807
(cherry picked from commit 00572be28ec474d7953f1b9dd681cc2dd290d9bf)
[willmcvicker: only cherry-picked f_acm portion of original patch]
Signed-off-by: Will McVicker
(cherry picked from commit c0e20d957704dc9d804d497fcb877ea47b7d7534)
Signed-off-by: Will McVicker
Signed-off-by: Greg Kroah-Hartman