13 Jan, 2021
1 commit
-
commit 718bf42b119de652ebcc93655a1f33a9c0d04b3c upstream.
Fix shift out-of-bounds in vhci_hcd.c:
UBSAN: shift-out-of-bounds in ../drivers/usb/usbip/vhci_hcd.c:399:41
shift exponent 768 is too large for 32-bit type 'int'Fixes: 03cd00d538a6 ("usbip: vhci-hcd: Set the vhci structure up to work")
Signed-off-by: Randy Dunlap
Reported-by: syzbot+297d20e437b79283bf6d@syzkaller.appspotmail.com
Cc: Yuyang Du
Cc: Shuah Khan
Cc: Greg Kroah-Hartman
Cc: linux-usb@vger.kernel.org
Cc: stable
Link: https://lore.kernel.org/r/20201229071309.18418-1-rdunlap@infradead.org
Signed-off-by: Greg Kroah-Hartman
07 Oct, 2020
1 commit
-
kcov testing uncovered call to usb_hcd_giveback_urb() without disabling
interrupts.Link: https://lore.kernel.org/linux-usb/CAAeHK+wb4k-LGTjK9F5YbJNviF_+yU+wE_=Vpo9Rn7KFN8vG6Q@mail.gmail.com/
usb_hcd_giveback_urb() is called from vhci's urb_enqueue, when it
determines it doesn't need to xmit the urb and can give it back.
This path runs in task context.Disable irqs around usb_hcd_giveback_urb() call.
Reported-by: Andrey Konovalov
Suggested-by: Alan Stern
Acked-by: Andrey Konovalov
Signed-off-by: Shuah Khan
Link: https://lore.kernel.org/r/20201006223914.39257-1-skhan@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman
05 Oct, 2020
1 commit
-
We need the USB fixes in here as well for testing.
Signed-off-by: Greg Kroah-Hartman
25 Sep, 2020
1 commit
-
This commit reverts commit 7a2f2974f265 ("usbip: Implement a match
function to fix usbip").In summary, commit d5643d2249b2 ("USB: Fix device driver race")
inadvertently broke usbip functionality, which I resolved in an incorrect
manner by introducing a match function to usbip, usbip_match(), that
unconditionally returns true.However, the usbip_match function, as is, causes usbip to take over
virtual devices used by syzkaller for USB fuzzing, which is a regression
reported by Andrey Konovalov.Furthermore, in conjunction with the fix of another bug, handled by another
patch titled "usbcore/driver: Fix specific driver selection" in this patch
set, the usbip_match function causes unexpected USB subsystem behaviour
when the usbip_host driver is loaded. The unexpected behaviour can be
qualified as follows:
- If commit 41160802ab8e ("USB: Simplify USB ID table match") is included
in the kernel, then all USB devices are bound to the usbip_host
driver, which appears to the user as if all USB devices were
disconnected.
- If the same commit (41160802ab8e) is not in the kernel (as is the case
with v5.8.10) then all USB devices are re-probed and re-bound to their
original device drivers, which appears to the user as a disconnection
and re-connection of USB devices.Please note that this commit will make usbip non-operational again,
until yet another patch in this patch set is merged, titled
"usbcore/driver: Accommodate usbip".Cc: # 5.8: 41160802ab8e: USB: Simplify USB ID table match
Cc: # 5.8
Cc: Bastien Nocera
Cc: Valentina Manea
Cc: Shuah Khan
Cc: Greg Kroah-Hartman
Cc: Alan Stern
Cc:
Reported-by: Andrey Konovalov
Tested-by: Andrey Konovalov
Acked-by: Shuah Khan
Signed-off-by: M. Vefa Bicakci
Link: https://lore.kernel.org/r/20200922110703.720960-2-m.v.b@runbox.com
Signed-off-by: Greg Kroah-Hartman
16 Sep, 2020
1 commit
-
Simplify the return expression.
Acked-by: Shuah Khan
Signed-off-by: Liu Shixin
Link: https://lore.kernel.org/r/20200915032631.1772673-1-liushixin2@huawei.com
Signed-off-by: Greg Kroah-Hartman
18 Aug, 2020
1 commit
-
Commit 88b7381a939d ("USB: Select better matching USB drivers when
available") introduced the use of a "match" function to select a
non-generic/better driver for a particular USB device. This
unfortunately breaks the operation of usbip in general, as reported in
the kernel bugzilla with bug 208267 (linked below).Upon inspecting the aforementioned commit, one can observe that the
original code in the usb_device_match function used to return 1
unconditionally, but the aforementioned commit makes the usb_device_match
function use identifier tables and "match" virtual functions, if either of
them are available.Hence, this commit implements a match function for usbip that
unconditionally returns true to ensure that usbip is functional again.This change has been verified to restore usbip functionality, with a
v5.7.y kernel on an up-to-date version of Qubes OS 4.0, which uses
usbip to redirect USB devices between VMs.Thanks to Jonathan Dieter for the effort in bisecting this issue down
to the aforementioned commit.Fixes: 88b7381a939d ("USB: Select better matching USB drivers when available")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=208267
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1856443
Link: https://github.com/QubesOS/qubes-issues/issues/5905
Signed-off-by: M. Vefa Bicakci
Cc: # 5.7
Cc: Valentina Manea
Cc: Alan Stern
Reviewed-by: Bastien Nocera
Reviewed-by: Shuah Khan
Link: https://lore.kernel.org/r/20200810160017.46002-1-m.v.b@runbox.com
Signed-off-by: Greg Kroah-Hartman
10 Jul, 2020
1 commit
-
Replace the existing /* fall through */ comments and its variants with
the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
fall-through markings when it is the case.[1] https://www.kernel.org/doc/html/latest/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through
Signed-off-by: Gustavo A. R. Silva
Acked-by: Shuah Khan
Link: https://lore.kernel.org/r/20200707195214.GA3932@embeddedor
Signed-off-by: Greg Kroah-Hartman
14 Jun, 2020
1 commit
-
Since commit 84af7a6194e4 ("checkpatch: kconfig: prefer 'help' over
'---help---'"), the number of '---help---' has been gradually
decreasing, but there are still more than 2400 instances.This commit finishes the conversion. While I touched the lines,
I also fixed the indentation.There are a variety of indentation styles found.
a) 4 spaces + '---help---'
b) 7 spaces + '---help---'
c) 8 spaces + '---help---'
d) 1 space + 1 tab + '---help---'
e) 1 tab + '---help---' (correct indentation)
f) 1 tab + 1 space + '---help---'
g) 1 tab + 2 spaces + '---help---'In order to convert all of them to 1 tab + 'help', I ran the
following commend:$ find . -name 'Kconfig*' | xargs sed -i 's/^[[:space:]]*---help---/\thelp/'
Signed-off-by: Masahiro Yamada
17 Dec, 2019
2 commits
-
If a transaction error happens in vhci_recv_ret_submit(), event
handler closes connection and changes port status to kick hub_event.
Then hub tries to flush the endpoint URBs, but that causes infinite
loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because
"vhci_priv" in vhci_urb_dequeue() was already released by
vhci_recv_ret_submit() before a transmission error occurred. Thus,
vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint()
continuously calls vhci_urb_dequeue().The root cause of this issue is that vhci_recv_ret_submit()
terminates early without giving back URB when transaction error
occurs in vhci_recv_ret_submit(). That causes the error URB to still
be linked at endpoint list without “vhci_priv".So, in the case of transaction error in vhci_recv_ret_submit(),
unlink URB from the endpoint, insert proper error code in
urb->status and give back URB.Reported-by: Marek Marczykowski-Górecki
Tested-by: Marek Marczykowski-Górecki
Signed-off-by: Suwan Kim
Cc: stable
Acked-by: Shuah Khan
Link: https://lore.kernel.org/r/20191213023055.19933-3-suwan.kim027@gmail.com
Signed-off-by: Greg Kroah-Hartman -
When vhci uses SG and receives data whose size is smaller than SG
buffer size, it tries to receive more data even if it acutally
receives all the data from the server. If then, it erroneously adds
error event and triggers connection shutdown.vhci-hcd should check if it received all the data even if there are
more SG entries left. So, check if it receivces all the data from
the server in for_each_sg() loop.Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver")
Reported-by: Marek Marczykowski-Górecki
Tested-by: Marek Marczykowski-Górecki
Signed-off-by: Suwan Kim
Acked-by: Shuah Khan
Cc: stable
Link: https://lore.kernel.org/r/20191213023055.19933-2-suwan.kim027@gmail.com
Signed-off-by: Greg Kroah-Hartman
13 Nov, 2019
2 commits
-
Smatch reported that nents is not initialized and used in
stub_recv_cmd_submit(). nents is currently initialized by sgl_alloc()
and used to allocate multiple URBs when host controller doesn't
support scatter-gather DMA. The use of uninitialized nents means that
buf_len is zero and use_sg is true. But buffer length should not be
zero when an URB uses scatter-gather DMA.To prevent this situation, add the conditional that checks buf_len
and use_sg. And move the use of nents right after the sgl_alloc() to
avoid the use of uninitialized nents.If the error occurs, it adds SDEV_EVENT_ERROR_MALLOC and stub_priv
will be released by stub event handler and connection will be shut
down.Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver")
Reported-by: kbuild test robot
Reported-by: Dan Carpenter
Signed-off-by: Suwan Kim
Acked-by: Shuah Khan
Cc: stable
Link: https://lore.kernel.org/r/20191111141035.27788-1-suwan.kim027@gmail.com
Signed-off-by: Greg Kroah-Hartman -
USBIP uses lib/scatterlist.h
Hence it needs to set CONFIG_SGL_ALLOCSigned-off-by: Oliver Neukum
Cc: stable
Acked-by: Shuah Khan
Link: https://lore.kernel.org/r/20191112154939.21217-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman
04 Nov, 2019
1 commit
-
We need the USB fixes in here to build on top of.
Signed-off-by: Greg Kroah-Hartman
29 Oct, 2019
1 commit
-
iso_buffer should be set to NULL after use and free in the while loop.
In the case of isochronous URB in the while loop, iso_buffer is
allocated and after sending it to server, buffer is deallocated. And
then, if the next URB in the while loop is not a isochronous pipe,
iso_buffer still holds the previously deallocated buffer address and
kfree tries to free wrong buffer address.Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver")
Reported-by: kbuild test robot
Reported-by: Julia Lawall
Signed-off-by: Suwan Kim
Reviewed-by: Julia Lawall
Acked-by: Shuah Khan
Link: https://lore.kernel.org/r/20191022093017.8027-1-suwan.kim027@gmail.com
Signed-off-by: Greg Kroah-Hartman
14 Oct, 2019
1 commit
-
we want the USB fixes in here as well.
Signed-off-by: Greg Kroah-Hartman
04 Oct, 2019
2 commits
-
There is a return statement that is indented incorrectly, fix this.
Signed-off-by: Colin Ian King
Link: https://lore.kernel.org/r/20190927092000.19373-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman -
If the return value of vhci_init_attr_group and
sysfs_create_group is non-zero, which mean they failed
to init attr_group and create sysfs group, so it would
better add 'failed' message to indicate that.
This patch also change pr_err to dev_err to trace which
device is failed.Fixes: 0775a9cbc694 ("usbip: vhci extension: modifications to vhci driver")
Signed-off-by: Mao Wenan
Acked-by: Shuah Khan
Link: https://lore.kernel.org/r/20190916150921.152977-1-maowenan@huawei.com
Signed-off-by: Greg Kroah-Hartman
03 Sep, 2019
1 commit
-
There are bugs on vhci with usb 3.0 storage device. In USB, each SG
list entry buffer should be divisible by the bulk max packet size.
But with native SG support, this problem doesn't matter because the
SG buffer is treated as contiguous buffer. But without native SG
support, USB storage driver breaks SG list into several URBs and the
error occurs because of a buffer size of URB that cannot be divided
by the bulk max packet size. The error situation is as follows.When USB Storage driver requests 31.5 KB data and has SG list which
has 3584 bytes buffer followed by 7 4096 bytes buffer for some
reason. USB Storage driver splits this SG list into several URBs
because VHCI doesn't support SG and sends them separately. So the
first URB buffer size is 3584 bytes. When receiving data from device,
USB 3.0 device sends data packet of 1024 bytes size because the max
packet size of BULK pipe is 1024 bytes. So device sends 4096 bytes.
But the first URB buffer has only 3584 bytes buffer size. So host
controller terminates the transfer even though there is more data to
receive. So, vhci needs to support SG transfer to prevent this error.In this patch, vhci supports SG regardless of whether the server's
host controller supports SG or not, because stub driver splits SG
list into several URBs if the server's host controller doesn't
support SG.To support SG, vhci sets URB_DMA_MAP_SG flag in urb->transfer_flags
if URB has SG list and this flag will tell stub driver to use SG
list. After receiving urb from stub driver, vhci clear URB_DMA_MAP_SG
flag to avoid unnecessary DMA unmapping in HCD.vhci sends each SG list entry to stub driver. Then, stub driver sees
the total length of the buffer and allocates SG table and pages
according to the total buffer length calling sgl_alloc(). After stub
driver receives completed URB, it again sends each SG list entry to
vhci.If the server's host controller doesn't support SG, stub driver
breaks a single SG request into several URBs and submits them to
the server's host controller. When all the split URBs are completed,
stub driver reassembles the URBs into a single return command and
sends it to vhci.Moreover, in the situation where vhci supports SG, but stub driver
does not, or vice versa, usbip works normally. Because there is no
protocol modification, there is no problem in communication between
server and client even if the one has a kernel without SG support.In the case of vhci supports SG and stub driver doesn't, because
vhci sends only the total length of the buffer to stub driver as
it did before the patch applied, stub driver only needs to allocate
the required length of buffers using only kmalloc() regardless of
whether vhci supports SG or not. But stub driver has to allocate
buffer with kmalloc() as much as the total length of SG buffer which
is quite huge when vhci sends SG request, so it has overhead in
buffer allocation in this situation.If stub driver needs to send data buffer to vhci because of IN pipe,
stub driver also sends only total length of buffer as metadata and
then sends real data as vhci does. Then vhci receive data from stub
driver and store it to the corresponding buffer of SG list entry.And for the case of stub driver supports SG and vhci doesn't, since
the USB storage driver checks that vhci doesn't support SG and sends
the request to stub driver by splitting the SG list into multiple
URBs, stub driver allocates a buffer for each URB with kmalloc() as
it did before this patch.* Test environment
Test uses two difference machines and two different kernel version
to make mismatch situation between the client and the server where
vhci supports SG, but stub driver does not, or vice versa. All tests
are conducted in both full SG support that both vhci and stub support
SG and half SG support that is the mismatch situation. Test kernel
version is 5.3-rc6 with commit "usb: add a HCD_DMA flag instead of
guestimating DMA capabilities" to avoid unnecessary DMA mapping and
unmapping.- Test kernel version
- 5.3-rc6 with SG support
- 5.1.20-200.fc29.x86_64 without SG support* SG support test
- Test devices
- Super-speed storage device - SanDisk Ultra USB 3.0
- High-speed storage device - SMI corporation USB 2.0 flash drive- Test description
Test read and write operation of mass storage device that uses the
BULK transfer. In test, the client reads and writes files whose size
is over 1G and it works normally.* Regression test
- Test devices
- Super-speed device - Logitech Brio webcam
- High-speed device - Logitech C920 HD Pro webcam
- Full-speed device - Logitech bluetooth mouse
- Britz BR-Orion speaker
- Low-speed device - Logitech wired mouse- Test description
Moving and click test for mouse. To test the webcam, use gnome-cheese.
To test the speaker, play music and video on the client. All works
normally.* VUDC compatibility test
VUDC also works well with this patch. Tests are done with two USB
gadget created by CONFIGFS USB gadget. Both use the BULK pipe.1. Serial gadget
2. Mass storage gadget- Serial gadget test
Serial gadget on the host sends and receives data using cat command
on the /dev/ttyGS. The client uses minicom to communicate with
the serial gadget.- Mass storage gadget test
After connecting the gadget with vhci, use "dd" to test read and
write operation on the client side.Read - dd if=/dev/sd iflag=direct of=/dev/null bs=1G count=1
Write - dd if= iflag=direct of=/dev/sd bs=1G count=1Signed-off-by: Suwan Kim
Acked-by: Shuah khan
Link: https://lore.kernel.org/r/20190828032741.12234-1-suwan.kim027@gmail.com
Signed-off-by: Greg Kroah-Hartman
09 Aug, 2019
1 commit
-
USB drivers now support the ability for the driver core to handle the
creation and removal of device-specific sysfs files in a race-free
manner. Take advantage of that by converting the driver to use this by
moving the sysfs attributes into a group and assigning the dev_groups
pointer to it.Cc: Valentina Manea
Cc: Shuah Khan
Link: https://lore.kernel.org/r/20190806144502.17792-13-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman
06 Aug, 2019
1 commit
-
Platform drivers now have the option to have the platform core create
and remove any needed sysfs attribute files. So take advantage of that
and do not register "by hand" any sysfs files.Cc: Valentina Manea
Acked-by: Shuah Khan
Link: https://lore.kernel.org/r/20190805193636.25560-5-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman
05 Jun, 2019
1 commit
-
vhci_send_cmd_unlink() declears kvec array of size 3 but it actually
uses just one element of the array. So, remove kvec array and replace
it with single kvec variable.Signed-off-by: Suwan Kim
Acked-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
03 Jun, 2019
1 commit
-
we want the USB fixes in here as well.
Signed-off-by: Greg Kroah-Hartman
30 May, 2019
1 commit
-
Fix the following sparse context imbalance regression introduced in
a patch that fixed sleeping function called from invalid context bug.kbuild test robot reported on:
tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-linus
Regressions in current branch:
drivers/usb/usbip/stub_dev.c:399:9: sparse: sparse: context imbalance in 'stub_probe' - different lock contexts for basic block
drivers/usb/usbip/stub_dev.c:418:13: sparse: sparse: context imbalance in 'stub_disconnect' - different lock contexts for basic block
drivers/usb/usbip/stub_dev.c:464:1-10: second lock on line 476Error ids grouped by kconfigs:
recent_errors
├── i386-allmodconfig
│ └── drivers-usb-usbip-stub_dev.c:second-lock-on-line
├── x86_64-allmodconfig
│ ├── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_disconnect-different-lock-contexts-for-basic-block
│ └── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_probe-different-lock-contexts-for-basic-block
└── x86_64-allyesconfig
└── drivers-usb-usbip-stub_dev.c:second-lock-on-lineThis is a real problem in an error leg where spin_lock() is called on an
already held lock.Fix the imbalance in stub_probe() and stub_disconnect().
Signed-off-by: Shuah Khan
Fixes: 0c9e8b3cad65 ("usbip: usbip_host: fix BUG: sleeping function called from invalid context")
Cc: stable
Signed-off-by: Greg Kroah-Hartman
21 May, 2019
2 commits
-
stub_probe() and stub_disconnect() call functions which could call
sleeping function in invalid context whil holding busid_lock.Fix the problem by refining the lock holds to short critical sections
to change the busid_priv fields. This fix restructures the code to
limit the lock holds in stub_probe() and stub_disconnect().stub_probe():
[15217.927028] BUG: sleeping function called from invalid context at mm/slab.h:418
[15217.927038] in_atomic(): 1, irqs_disabled(): 0, pid: 29087, name: usbip
[15217.927044] 5 locks held by usbip/29087:
[15217.927047] #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0
[15217.927062] #1: 000000008f9ba75b (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0
[15217.927072] #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50
[15217.927082] #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50
[15217.927090] #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host]
[15217.927103] CPU: 3 PID: 29087 Comm: usbip Tainted: G W 5.1.0-rc6+ #40
[15217.927106] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
[15217.927109] Call Trace:
[15217.927118] dump_stack+0x63/0x85
[15217.927127] ___might_sleep+0xff/0x120
[15217.927133] __might_sleep+0x4a/0x80
[15217.927143] kmem_cache_alloc_trace+0x1aa/0x210
[15217.927156] stub_probe+0xe8/0x440 [usbip_host]
[15217.927171] usb_probe_device+0x34/0x70stub_disconnect():
[15279.182478] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
[15279.182487] in_atomic(): 1, irqs_disabled(): 0, pid: 29114, name: usbip
[15279.182492] 5 locks held by usbip/29114:
[15279.182494] #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0
[15279.182506] #1: 00000000702cf0f3 (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0
[15279.182514] #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50
[15279.182522] #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50
[15279.182529] #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host]
[15279.182541] CPU: 0 PID: 29114 Comm: usbip Tainted: G W 5.1.0-rc6+ #40
[15279.182543] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
[15279.182546] Call Trace:
[15279.182554] dump_stack+0x63/0x85
[15279.182561] ___might_sleep+0xff/0x120
[15279.182566] __might_sleep+0x4a/0x80
[15279.182574] __mutex_lock+0x55/0x950
[15279.182582] ? get_busid_priv+0x48/0x60 [usbip_host]
[15279.182587] ? reacquire_held_locks+0xec/0x1a0
[15279.182591] ? get_busid_priv+0x48/0x60 [usbip_host]
[15279.182597] ? find_held_lock+0x94/0xa0
[15279.182609] mutex_lock_nested+0x1b/0x20
[15279.182614] ? mutex_lock_nested+0x1b/0x20
[15279.182618] kernfs_remove_by_name_ns+0x2a/0x90
[15279.182625] sysfs_remove_file_ns+0x15/0x20
[15279.182629] device_remove_file+0x19/0x20
[15279.182634] stub_disconnect+0x6d/0x180 [usbip_host]
[15279.182643] usb_unbind_device+0x27/0x60Signed-off-by: Shuah Khan
Cc: stable
Signed-off-by: Greg Kroah-Hartman -
Cleanup do_rebind() return path and use common return path.
Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
09 May, 2019
1 commit
-
Pull USB/PHY updates from Greg KH:
"Here is the big set of USB and PHY driver patches for 5.2-rc1There is the usual set of:
- USB gadget updates
- PHY driver updates and additions
- USB serial driver updates and fixes
- typec updates and new chips supported
- mtu3 driver updates
- xhci driver updates
- other tiny driver updates
Nothing really interesting, just constant forward progress.
All of these have been in linux-next for a while with no reported
issues. The usb-gadget and usb-serial trees were merged a bit "late",
but both of them had been in linux-next before they got merged here
last Friday"* tag 'usb-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (206 commits)
USB: serial: f81232: implement break control
USB: serial: f81232: add high baud rate support
USB: serial: f81232: clear overrun flag
USB: serial: f81232: fix interrupt worker not stop
usb: dwc3: Rename DWC3_DCTL_LPM_ERRATA
usb: dwc3: Fix default lpm_nyet_threshold value
usb: dwc3: debug: Print GET_STATUS(device) tracepoint
usb: dwc3: Do core validation early on probe
usb: dwc3: gadget: Set lpm_capable
usb: gadget: atmel: tie wake lock to running clock
usb: gadget: atmel: support USB suspend
usb: gadget: atmel_usba_udc: simplify setting of interrupt-enabled mask
dwc2: gadget: Fix completed transfer size calculation in DDMA
usb: dwc2: Set lpm mode parameters depend on HW configuration
usb: dwc2: Fix channel disable flow
usb: dwc2: Set actual frame number for completed ISOC transfer
usb: gadget: do not use __constant_cpu_to_le16
usb: dwc2: gadget: Increase descriptors count for ISOC's
usb: introduce usb_ep_type_string() function
usb: dwc3: move synchronize_irq() out of the spinlock protected block
...
30 Apr, 2019
1 commit
-
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.This patch fixes the following warning:
In file included from drivers/usb/usbip/vhci_hcd.c:15:
drivers/usb/usbip/vhci_hcd.c: In function ‘vhci_hub_control’:
drivers/usb/usbip/usbip_common.h:63:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (flag & usbip_debug_flag) \
^
drivers/usb/usbip/usbip_common.h:77:2: note: in expansion of macro ‘usbip_dbg_with_flag’
usbip_dbg_with_flag(usbip_debug_vhci_rh, fmt , ##args)
^~~~~~~~~~~~~~~~~~~
drivers/usb/usbip/vhci_hcd.c:509:4: note: in expansion of macro ‘usbip_dbg_vhci_rh’
usbip_dbg_vhci_rh(
^~~~~~~~~~~~~~~~~
drivers/usb/usbip/vhci_hcd.c:511:3: note: here
case USB_PORT_FEAT_U2_TIMEOUT:
^~~~Warning level 3 was used: -Wimplicit-fallthrough=3
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.Signed-off-by: Gustavo A. R. Silva
Acked-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
25 Apr, 2019
2 commits
-
Change the validation of number_of_packets in get_pipe to compare the
number of packets to a fixed maximum number of packets allowed, set to
be 1024. This number was chosen due to it being used by other drivers as
well, for example drivers/usb/host/uhci-q.cBackground/reason:
The get_pipe function in stub_rx.c validates the number of packets in
isochronous mode and aborts with an error if that number is too large,
in order to prevent malicious input from possibly triggering large
memory allocations. This was previously done by checking whether
pdu->u.cmd_submit.number_of_packets is bigger than the number of packets
that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes
if all except possibly the last packet had maximum length, given by
usb_endpoint_maxp(epd) * usb_endpoint_maxp_mult(epd). This leads to an
error if URBs with packets shorter than the maximum possible length are
submitted, which is allowed according to
Documentation/driver-api/usb/URB.rst and occurs for example with the
snd-usb-audio driver.Fixes: c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input")
Signed-off-by: Malte Leip
Cc: stable
Acked-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman -
There is an extra space character before the return statement.
Signed-off-by: Dan Carpenter
Signed-off-by: Greg Kroah-Hartman
19 Mar, 2019
1 commit
-
"vdev" points to vhci_hcd->vdev[] array and vhci_hcd->vdev[] array
is not a pointer array but a structure array and it is already used
in vhci_urb_enqueue() and then passed to vhci_tx_urb() as an argument.
vhci_tx_urb() is not called except vhci_urb_enqueue(). So, "vdev"
can not be null pointer. This null check statement is meaningless.Signed-off-by: Suwan Kim
Acked-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
30 Jan, 2019
1 commit
-
Fix vep_free_request() to return when usb_ep and usb_request are null
instead of calling WARN_ON.Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
28 Jan, 2019
1 commit
-
We need the USB fixes in here as well.
Signed-off-by: Greg Kroah-Hartman
25 Jan, 2019
1 commit
-
Fix vhci_urb_enqueue() to print debug msg and return error instead of
failing with BUG_ON.Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
22 Jan, 2019
1 commit
-
There are a few remaining drivers/usb/ files that do not have SPDX
identifiers in them, all of these are either Kconfig or Makefiles. Add
the correct GPL-2.0 identifier to them to make scanning tools happy.Signed-off-by: Greg Kroah-Hartman
18 Jan, 2019
1 commit
-
The README file ni the drivers/usb/usbip/ directory is not needed
anymore, so just delete it.Cc: Valentina Manea
Signed-off-by: Greg Kroah-Hartman
Acked-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
02 Nov, 2018
1 commit
-
Pull AFS updates from Al Viro:
"AFS series, with some iov_iter bits included"* 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (26 commits)
missing bits of "iov_iter: Separate type from direction and use accessor functions"
afs: Probe multiple fileservers simultaneously
afs: Fix callback handling
afs: Eliminate the address pointer from the address list cursor
afs: Allow dumping of server cursor on operation failure
afs: Implement YFS support in the fs client
afs: Expand data structure fields to support YFS
afs: Get the target vnode in afs_rmdir() and get a callback on it
afs: Calc callback expiry in op reply delivery
afs: Fix FS.FetchStatus delivery from updating wrong vnode
afs: Implement the YFS cache manager service
afs: Remove callback details from afs_callback_break struct
afs: Commit the status on a new file/dir/symlink
afs: Increase to 64-bit volume ID and 96-bit vnode ID for YFS
afs: Don't invoke the server to read data beyond EOF
afs: Add a couple of tracepoints to log I/O errors
afs: Handle EIO from delivery function
afs: Fix TTL on VL server and address lists
afs: Implement VL server rotation
afs: Improve FS server rotation error handling
...
26 Oct, 2018
1 commit
-
Pull USB/PHY updates from Greg KH:
"Here is the big USB/PHY driver patches for 4.20-rc1Lots of USB changes in here, primarily in these areas:
- typec updates and new drivers
- new PHY drivers
- dwc2 driver updates and additions (this old core keeps getting
added to new devices.)- usbtmc major update based on the industry group coming together and
working to add new features and performance to the driver.- USB gadget additions for new features
- USB gadget configfs updates
- chipidea driver updates
- other USB gadget updates
- USB serial driver updates
- renesas driver updates
- xhci driver updates
- other tiny USB driver updates
All of these have been in linux-next for a while with no reported
issues"* tag 'usb-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (229 commits)
usb: phy: ab8500: silence some uninitialized variable warnings
usb: xhci: tegra: Add genpd support
usb: xhci: tegra: Power-off power-domains on removal
usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
usbip: tools: fix atoi() on non-null terminated string
USB: misc: appledisplay: fix backlight update_status return code
phy: phy-pxa-usb: add a new driver
usb: host: add DT bindings for faraday fotg2
usb: host: ohci-at91: fix request of irq for optional gpio
usb/early: remove set but not used variable 'remain_length'
usb: typec: Fix copy/paste on typec_set_vconn_role() kerneldoc
usb: typec: tcpm: Report back negotiated PPS voltage and current
USB: core: remove set but not used variable 'udev'
usb: core: fix memory leak on port_dev_path allocation
USB: net2280: Remove ->disconnect() callback from net2280_pullup()
usb: dwc2: disable power_down on rockchip devices
usb: gadget: udc: renesas_usb3: add support for r8a77990
dt-bindings: usb: renesas_usb3: add bindings for r8a77990
usb: gadget: udc: renesas_usb3: Add r8a774a1 support
USB: serial: cypress_m8: remove set but not used variable 'iflag'
...
24 Oct, 2018
1 commit
-
In the iov_iter struct, separate the iterator type from the iterator
direction and use accessor functions to access them in most places.Convert a bunch of places to use switch-statements to access them rather
then chains of bitwise-AND statements. This makes it easier to add further
iterator types. Also, this can be more efficient as to implement a switch
of small contiguous integers, the compiler can use ~50% fewer compare
instructions than it has to use bitwise-and instructions.Further, cease passing the iterator type into the iterator setup function.
The iterator function can set that itself. Only the direction is required.Signed-off-by: David Howells
19 Oct, 2018
1 commit
-
In rmmod path, usbip_vudc does platform_device_put() twice once from
platform_device_unregister() and then from put_vudc_device().The second put results in:
BUG kmalloc-2048 (Not tainted): Poison overwritten error or
BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is
enabled.[ 169.042156] calling init+0x0/0x1000 [usbip_vudc] @ 1697
[ 169.042396] =============================================================================
[ 169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs
[ 169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten
[ 169.044509] -----------------------------------------------------------------------------
...
[ 169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693
[ 169.057852] kobject_put+0x86/0x1b0
[ 169.057853] 0xffffffffc0c30a96
[ 169.057855] __x64_sys_delete_module+0x157/0x240Fix it to call platform_device_del() instead and let put_vudc_device() do
the platform_device_put().Reported-by: Randy Dunlap
Signed-off-by: Shuah Khan (Samsung OSG)
Cc:
Signed-off-by: Greg Kroah-Hartman
09 Oct, 2018
1 commit
-
vhci_hub_control() accesses port_status array with out of bounds port
value. Fix it to reference port_status[] only with a valid rhport value
when invalid_rhport flag is true.The invalid_rhport flag is set early on after detecting in port value
is within the bounds or not.The following is used reproduce the problem and verify the fix:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ed8ab6400000Reported-by: syzbot+bccc1fe10b70fadc78d0@syzkaller.appspotmail.com
Cc: stable
Signed-off-by: Shuah Khan (Samsung OSG)
Signed-off-by: Greg Kroah-Hartman