1. 06 Jan, 2021 1 commit
  2. 05 Jan, 2021 1 commit
  3. 04 Jan, 2021 10 commits
    • Chandana Kishori Chiluveru's avatar
      usb: gadget: configfs: Preserve function ordering after bind failure · 6cd0fe91
      Chandana Kishori Chiluveru authored
      When binding the ConfigFS gadget to a UDC, the functions in each
      configuration are added in list order. However, if usb_add_function()
      fails, the failed function is put back on its configuration's
      func_list and purge_configs_funcs() is called to further clean up.
      
      purge_configs_funcs() iterates over the configurations and functions
      in forward order, calling unbind() on each of the previously added
      functions. But after doing so, each function gets moved to the
      tail of the configuration's func_list. This results in reshuffling
      the original order of the functions within a configuration such
      that the failed function now appears first even though it may have
      originally appeared in the middle or even end of the list. At this
      point if the ConfigFS gadget is attempted to re-bind to the UDC,
      the functions will be added in a different order than intended,
      with the only recourse being to remove and relink the functions all
      over again.
      
      An example of this as follows:
      
      ln -s functions/mass_storage.0 configs/c.1
      ln -s functions/ncm.0 configs/c.1
      ln -s functions/ffs.adb configs/c.1	# oops, forgot to start adbd
      echo "<udc device>" > UDC		# fails
      start adbd
      echo "<udc device>" > UDC		# now succeeds, but...
      					# bind order is
      					# "ADB", mass_storage, ncm
      
      [30133.118289] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520
      [30133.119875] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520
      [30133.119974] using random self ethernet address
      [30133.120002] using random host ethernet address
      [30133.139604] usb0: HOST MAC 3e:27:46:ba:3e:26
      [30133.140015] usb0: MAC 6e:28:7e:42:66:6a
      [30133.140062] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520
      [30133.140081] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 --> -19
      [30133.140098] configfs-gadget gadget: unbind function 'Mass Storage Function'/ffffff810af87200
      [30133.140119] configfs-gadget gadget: unbind function 'cdc_network'/ffffff80f48d1a00
      [30133.173201] configfs-gadget a600000.dwc3: failed to start g1: -19
      [30136.661933] init: starting service 'adbd'...
      [30136.700126] read descriptors
      [30136.700413] read strings
      [30138.574484] configfs-gadget gadget: adding 'Function FS Gadget'/ffffff80f3868438 to config 'c'/ffffff817d6a2520
      [30138.575497] configfs-gadget gadget: adding 'Mass Storage Function'/ffffff810af87200 to config 'c'/ffffff817d6a2520
      [30138.575554] configfs-gadget gadget: adding 'cdc_network'/ffffff80f48d1a00 to config 'c'/ffffff817d6a2520
      [30138.575631] using random self ethernet address
      [30138.575660] using random host ethernet address
      [30138.595338] usb0: HOST MAC 2e:cf:43:cd:ca:c8
      [30138.597160] usb0: MAC 6a:f0:9f:ee:82:a0
      [30138.791490] configfs-gadget gadget: super-speed config #1: c
      
      Fix this by reversing the iteration order of the functions in
      purge_config_funcs() when unbinding them, and adding them back to
      the config's func_list at the head instead of the tail. This
      ensures that we unbind and unwind back to the original list order.
      
      Fixes: 88af8bbe ("usb: gadget: the start of the configfs interface")
      Signed-off-by: default avatarChandana Kishori Chiluveru <cchiluve@codeaurora.org>
      Signed-off-by: default avatarJack Pham <jackp@codeaurora.org>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Link: https://lore.kernel.org/r/20201229224443.31623-1-jackp@codeaurora.org
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6cd0fe91
    • Arnd Bergmann's avatar
      usb: gadget: select CONFIG_CRC32 · d7889c20
      Arnd Bergmann authored
      Without crc32 support, this driver fails to link:
      
      arm-linux-gnueabi-ld: drivers/usb/gadget/function/f_eem.o: in function `eem_unwrap':
      f_eem.c:(.text+0x11cc): undefined reference to `crc32_le'
      arm-linux-gnueabi-ld: drivers/usb/gadget/function/f_ncm.o:f_ncm.c:(.text+0x1e40):
      more undefined references to `crc32_le' follow
      
      Fixes: 6d3865f9 ("usb: gadget: NCM: Add transmit multi-frame.")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20210103214224.1996535-1-arnd@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7889c20
    • Peter Chen's avatar
      usb: gadget: core: change the comment for usb_gadget_connect · 7043e311
      Peter Chen authored
      The pullup does not need to be enabled at below situations:
      - For platforms which the hardware pullup starts after setting
      register even they do not see the VBUS. If the pullup is always
      enabled for these platforms, it will consume more power and
      break the USB IF compliance tests [1].
      - For platforms which need to do BC 1.2 charger detection after
      seeing the VBUS. Pullup D+ will break the charger detection
      flow.
      - For platforms which the system suspend is allowed when the
      connection with host is there but the bus is not at suspend.
      For these platforms, it is better to disable pullup when
      entering the system suspend otherwise the host may confuse
      the device behavior after controller is in low power mode.
      Disable pullup is considered as a disconnection event from
      host side.
      
      [1] USB-IF Full and Low Speed Compliance Test Procedure
      F Back-voltage Testing
      Section 7.2.1 of the USB specification requires that no device
      shall supply (source) current on VBUS at its upstream facing
      port at any time. From VBUS on its upstream facing port,
      a device may only draw (sink) current. They may not provide power
      to the pull-up resistor on D+/D- unless VBUS is present (see
      Section 7.1.5).
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Link: https://lore.kernel.org/r/20201230051114.21370-1-peter.chen@nxp.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7043e311
    • Eddie Hung's avatar
      usb: gadget: configfs: Fix use-after-free issue with udc_name · 64e6bbff
      Eddie Hung authored
      There is a use-after-free issue, if access udc_name
      in function gadget_dev_desc_UDC_store after another context
      free udc_name in function unregister_gadget.
      
      Context 1:
      gadget_dev_desc_UDC_store()->unregister_gadget()->
      free udc_name->set udc_name to NULL
      
      Context 2:
      gadget_dev_desc_UDC_show()-> access udc_name
      
      Call trace:
      dump_backtrace+0x0/0x340
      show_stack+0x14/0x1c
      dump_stack+0xe4/0x134
      print_address_description+0x78/0x478
      __kasan_report+0x270/0x2ec
      kasan_report+0x10/0x18
      __asan_report_load1_noabort+0x18/0x20
      string+0xf4/0x138
      vsnprintf+0x428/0x14d0
      sprintf+0xe4/0x12c
      gadget_dev_desc_UDC_show+0x54/0x64
      configfs_read_file+0x210/0x3a0
      __vfs_read+0xf0/0x49c
      vfs_read+0x130/0x2b4
      SyS_read+0x114/0x208
      el0_svc_naked+0x34/0x38
      
      Add mutex_lock to protect this kind of scenario.
      Signed-off-by: default avatarEddie Hung <eddie.hung@mediatek.com>
      Signed-off-by: default avatarMacpaul Lin <macpaul.lin@mediatek.com>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64e6bbff
    • Wesley Cheng's avatar
      usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup · a1383b35
      Wesley Cheng authored
      usb_gadget_deactivate/usb_gadget_activate does not execute the UDC start
      operation, which may leave EP0 disabled and event IRQs disabled when
      re-activating the function. Move the enabling/disabling of USB EP0 and
      device event IRQs to be performed in the pullup routine.
      
      Fixes: ae7e8610 ("usb: dwc3: Stop active transfers before halting the controller")
      Tested-by: default avatarMichael Tretter <m.tretter@pengutronix.de>
      Cc: stable <stable@vger.kernel.org>
      Reported-by: default avatarMichael Tretter <m.tretter@pengutronix.de>
      Signed-off-by: default avatarWesley Cheng <wcheng@codeaurora.org>
      Link: https://lore.kernel.org/r/1609282837-21666-1-git-send-email-wcheng@codeaurora.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1383b35
    • Randy Dunlap's avatar
      usb: usbip: vhci_hcd: protect shift size · 718bf42b
      Randy Dunlap authored
      Fix shift out-of-bounds in vhci_hcd.c:
      
        UBSAN: shift-out-of-bounds in ../drivers/usb/usbip/vhci_hcd.c:399:41
        shift exponent 768 is too large for 32-bit type 'int'
      
      Fixes: 03cd00d5 ("usbip: vhci-hcd: Set the vhci structure up to work")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reported-by: syzbot+297d20e437b79283bf6d@syzkaller.appspotmail.com
      Cc: Yuyang Du <yuyang.du@intel.com>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: linux-usb@vger.kernel.org
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20201229071309.18418-1-rdunlap@infradead.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      718bf42b
    • Johan Hovold's avatar
      USB: usblp: fix DMA to stack · 020a1f45
      Johan Hovold authored
      Stack-allocated buffers cannot be used for DMA (on all architectures).
      
      Replace the HP-channel macro with a helper function that allocates a
      dedicated transfer buffer so that it can continue to be used with
      arguments from the stack.
      
      Note that the buffer is cleared on allocation as usblp_ctrl_msg()
      returns success also on short transfers (the buffer is only used for
      debugging).
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20210104145302.2087-1-johan@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      020a1f45
    • Johan Hovold's avatar
      USB: serial: iuu_phoenix: fix DMA from stack · 54d0a3ab
      Johan Hovold authored
      Stack-allocated buffers cannot be used for DMA (on all architectures) so
      allocate the flush command buffer using kmalloc().
      
      Fixes: 60a8fc01 ("USB: add iuu_phoenix driver")
      Cc: stable <stable@vger.kernel.org>     # 2.6.25
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      54d0a3ab
    • Daniel Palmer's avatar
      USB: serial: option: add LongSung M5710 module support · 0e2d6795
      Daniel Palmer authored
      Add a device-id entry for the LongSung M5710 module.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2df3 ProdID=9d03 Rev= 1.00
      S:  Manufacturer=Marvell
      S:  Product=Mobile Composite Device Bus
      S:  SerialNumber=<snip>
      C:* #Ifs= 5 Cfg#= 1 Atr=c0 MxPwr=500mA
      A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
      I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
      E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      E:  Ad=88(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
      E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Signed-off-by: default avatarDaniel Palmer <daniel@0x0f.com>
      https://lore.kernel.org/r/20201227031716.1343300-1-daniel@0x0f.com
      [ johan: drop id defines, only bind to vendor class ]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      0e2d6795
    • Bjørn Mork's avatar
      USB: serial: option: add Quectel EM160R-GL · d6c1ddd9
      Bjørn Mork authored
      New modem using ff/ff/30 for QCDM, ff/00/00 for  AT and NMEA,
      and ff/ff/ff for RMNET/QMI.
      
      T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
      D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1
      P: Vendor=2c7c ProdID=0620 Rev= 4.09
      S: Manufacturer=Quectel
      S: Product=EM160R-GL
      S: SerialNumber=e31cedc1
      C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
      E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
      E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
      E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      [ johan: add model comment ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      d6c1ddd9
  4. 30 Dec, 2020 1 commit
    • Alan Stern's avatar
      USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug · c318840f
      Alan Stern authored
      The dummy-hcd driver was written under the assumption that all the
      parameters in URBs sent to its root hub would be valid.  With URBs
      sent from userspace via usbfs, that assumption can be violated.
      
      In particular, the driver doesn't fully check the port-feature values
      stored in the wValue entry of Clear-Port-Feature and Set-Port-Feature
      requests.  Values that are too large can cause the driver to perform
      an invalid left shift of more than 32 bits.  Ironically, two of those
      left shifts are unnecessary, because they implement Set-Port-Feature
      requests that hubs are not required to support, according to section
      11.24.2.13 of the USB-2.0 spec.
      
      This patch adds the appropriate checks for the port feature selector
      values and removes the unnecessary feature settings.  It also rejects
      requests to set the TEST feature or to set or clear the INDICATOR and
      C_OVERCURRENT features, as none of these are relevant to dummy-hcd's
      root-hub emulation.
      
      CC: <stable@vger.kernel.org>
      Reported-and-tested-by: syzbot+5925509f78293baa7331@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Link: https://lore.kernel.org/r/20201230162044.GA727759@rowland.harvard.eduSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c318840f
  5. 28 Dec, 2020 18 commits
  6. 27 Dec, 2020 8 commits
  7. 26 Dec, 2020 1 commit