1. 12 Feb, 2019 1 commit
  2. 31 Jan, 2019 1 commit
    • Christian Lamparter's avatar
      USB: leds: fix regression in usbport led trigger · f15b66e8
      Christian Lamparter authored
      commit 91f7d2e8 upstream.
      
      The patch "usb: simplify usbport trigger" together with "leds: triggers:
      add device attribute support" caused an regression for the usbport
      trigger. it will no longer enumerate any active usb hub ports under the
      "ports" directory in the sysfs class directory, if the usb host drivers
      are fully initialized before the usbport trigger was loaded.
      
      The reason is that the usbport driver tries to register the sysfs
      entries during the activate() callback. And this will fail with -2 /
      ENOENT because the patch "leds: triggers: add device attribute support"
      made it so that the sysfs "ports" group was only being added after the
      activate() callback succeeded.
      
      This version of the patch reverts parts of the "usb: simplify usbport
      trigger" patch and restores usbport trigger's functionality.
      
      Fixes: 6f7b0bad ("usb: simplify usbport trigger")
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f15b66e8
  3. 16 Jan, 2019 2 commits
  4. 05 Dec, 2018 3 commits
    • Mathias Payer's avatar
      USB: check usb_get_extra_descriptor for proper size · 704620af
      Mathias Payer authored
      When reading an extra descriptor, we need to properly check the minimum
      and maximum size allowed, to prevent from invalid data being sent by a
      device.
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: Mathias Payer's avatarMathias Payer <mathias.payer@nebelwelt.net>
      Co-developed-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Signed-off-by: Mathias Payer's avatarMathias Payer <mathias.payer@nebelwelt.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      704620af
    • Harry Pan's avatar
      usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device · 2f2dde6b
      Harry Pan authored
      Some lower volume SanDisk Ultra Flair in 16GB, which the VID:PID is
      in 0781:5591, will aggressively request LPM of U1/U2 during runtime,
      when using this thumb drive as the OS installation key we found the
      device will generate failure during U1 exit path making it dropped
      from the USB bus, this causes a corrupted installation in system at
      the end.
      
      i.e.,
      [  166.918296] hub 2-0:1.0: state 7 ports 7 chg 0000 evt 0004
      [  166.918327] usb usb2-port2: link state change
      [  166.918337] usb usb2-port2: do warm reset
      [  166.970039] usb usb2-port2: not warm reset yet, waiting 50ms
      [  167.022040] usb usb2-port2: not warm reset yet, waiting 200ms
      [  167.276043] usb usb2-port2: status 02c0, change 0041, 5.0 Gb/s
      [  167.276050] usb 2-2: USB disconnect, device number 2
      [  167.276058] usb 2-2: unregistering device
      [  167.276060] usb 2-2: unregistering interface 2-2:1.0
      [  167.276170] xhci_hcd 0000:00:15.0: shutdown urb ffffa3c7cc695cc0 ep1in-bulk
      [  167.284055] sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
      [  167.284064] sd 0:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 33 04 90 00 01 00 00
      ...
      
      Analyzed the USB trace in the link layer we realized it is because
      of the 6-ms timer of tRecoveryConfigurationTimeout which documented
      on the USB 3.2 Revision 1.0, the section 7.5.10.4.2 of "Exit from
      Recovery.Configuration"; device initiates U1 exit -> Recovery.Active
      -> Recovery.Configuration, then the host timer timeout makes the link
      transits to eSS.Inactive -> Rx.Detect follows by a Warm Reset.
      
      Interestingly, the other higher volume of SanDisk Ultra Flair sharing
      the same VID:PID, such as 64GB, would not request LPM during runtime,
      it sticks at U0 always, thus disabling LPM does not affect those thumb
      drives at all.
      
      The same odd occures in SanDisk Ultra Fit 16GB, VID:PID in 0781:5583.
      Signed-off-by: default avatarHarry Pan <harry.pan@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f2dde6b
    • Alan Stern's avatar
      USB: Fix invalid-free bug in port_over_current_notify() · d81bb019
      Alan Stern authored
      Syzbot and KASAN found the following invalid-free bug in
      port_over_current_notify():
      
      --------------------------------------------------------------------------
      BUG: KASAN: double-free or invalid-free in port_over_current_notify
      drivers/usb/core/hub.c:5192 [inline]
      BUG: KASAN: double-free or invalid-free in port_event
      drivers/usb/core/hub.c:5241 [inline]
      BUG: KASAN: double-free or invalid-free in hub_event+0xd97/0x4140
      drivers/usb/core/hub.c:5384
      
      CPU: 1 PID: 32710 Comm: kworker/1:3 Not tainted 4.20.0-rc3+ #129
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x244/0x39d lib/dump_stack.c:113
        print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
        kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:336
        __kasan_slab_free+0x13a/0x150 mm/kasan/kasan.c:501
        kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
        __cache_free mm/slab.c:3498 [inline]
        kfree+0xcf/0x230 mm/slab.c:3817
        port_over_current_notify drivers/usb/core/hub.c:5192 [inline]
        port_event drivers/usb/core/hub.c:5241 [inline]
        hub_event+0xd97/0x4140 drivers/usb/core/hub.c:5384
        process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
        worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
        kthread+0x35a/0x440 kernel/kthread.c:246
        ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      --------------------------------------------------------------------------
      
      The problem is caused by use of a static array to store
      environment-string pointers.  When the routine is called by multiple
      threads concurrently, the pointers from one thread can overwrite those
      from another.
      
      The solution is to use an ordinary automatic array instead of a static
      array.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: syzbot+98881958e1410ec7e53c@syzkaller.appspotmail.com
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d81bb019
  5. 26 Nov, 2018 1 commit
  6. 14 Nov, 2018 1 commit
    • Dennis Wassenberg's avatar
      usb: core: Fix hub port connection events lost · 22454b79
      Dennis Wassenberg authored
      This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset
      only if a device is was attached to the hub port before resetting the hub port.
      
      Using a Lenovo T480s attached to the ultra dock it was not possible to detect
      some usb-c devices at the dock usb-c ports because the hub_port_reset code
      will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset.
      Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the
      actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit.
      This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the
      new device was attached such that it was not detected.
      
      This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is
      currently no device attached to the port before the hub port reset.
      This will avoid clearing the connection bit for new attached devices.
      Signed-off-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Acked-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22454b79
  7. 07 Nov, 2018 3 commits
  8. 16 Oct, 2018 1 commit
    • Alan Stern's avatar
      USB: fix the usbfs flag sanitization for control transfers · 665c365a
      Alan Stern authored
      Commit 7a68d9fb ("USB: usbdevfs: sanitize flags more") checks the
      transfer flags for URBs submitted from userspace via usbfs.  However,
      the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be
      allowed for a control transfer was added in the wrong place, before
      the code has properly determined the direction of the control
      transfer.  (Control transfers are special because for them, the
      direction is set by the bRequestType byte of the Setup packet rather
      than direction bit of the endpoint address.)
      
      This patch moves code which sets up the allow_short flag for control
      transfers down after is_in has been set to the correct value.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com
      Fixes: 7a68d9fb ("USB: usbdevfs: sanitize flags more")
      CC: Oliver Neukum <oneukum@suse.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      665c365a
  9. 09 Oct, 2018 2 commits
  10. 03 Oct, 2018 1 commit
    • Eric W. Biederman's avatar
      signal: Distinguish between kernel_siginfo and siginfo · ae7795bc
      Eric W. Biederman authored
      Linus recently observed that if we did not worry about the padding
      member in struct siginfo it is only about 48 bytes, and 48 bytes is
      much nicer than 128 bytes for allocating on the stack and copying
      around in the kernel.
      
      The obvious thing of only adding the padding when userspace is
      including siginfo.h won't work as there are sigframe definitions in
      the kernel that embed struct siginfo.
      
      So split siginfo in two; kernel_siginfo and siginfo.  Keeping the
      traditional name for the userspace definition.  While the version that
      is used internally to the kernel and ultimately will not be padded to
      128 bytes is called kernel_siginfo.
      
      The definition of struct kernel_siginfo I have put in include/signal_types.h
      
      A set of buildtime checks has been added to verify the two structures have
      the same field offsets.
      
      To make it easy to verify the change kernel_siginfo retains the same
      size as siginfo.  The reduction in size comes in a following change.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ae7795bc
  11. 02 Oct, 2018 2 commits
  12. 28 Sep, 2018 1 commit
    • Jon Flatley's avatar
      usb: core: added uevent for over-current · 201af55d
      Jon Flatley authored
      After commit 1cbd53c8 ("usb: core: introduce per-port over-current
      counters") usb ports expose a sysfs value 'over_current_count'
      to user space. This value on its own is not very useful as it requires
      manual polling.
      
      As a solution, fire a udev event from the usb hub device that specifies
      the values 'OVER_CURRENT_PORT' and 'OVER_CURRENT_COUNT' that indicate
      the path of the usb port where the over-current event occurred and the
      value of 'over_current_count' in sysfs. Additionally, call
      sysfs_notify() so the sysfs value supports poll().
      Signed-off-by: default avatarJon Flatley <jflat@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      201af55d
  13. 20 Sep, 2018 7 commits
    • Harry Pan's avatar
      usb: core: safely deal with the dynamic quirk lists · 16c4cb19
      Harry Pan authored
      Applying dynamic usbcore quirks in early booting when the slab is
      not yet ready would cause kernel panic of null pointer dereference
      because the quirk_count has been counted as 1 while the quirk_list
      was failed to allocate.
      
      i.e.,
      [    1.044970] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [    1.044995] IP: [<ffffffffb0953ec7>] usb_detect_quirks+0x88/0xd1
      [    1.045016] PGD 0
      [    1.045026] Oops: 0000 [#1] PREEMPT SMP
      [    1.046986] gsmi: Log Shutdown Reason 0x03
      [    1.046995] Modules linked in:
      [    1.047008] CPU: 0 PID: 81 Comm: kworker/0:3 Not tainted 4.4.154 #28
      [    1.047016] Hardware name: Google Coral/Coral, BIOS Google_Coral.10068.27.0 12/04/2017
      [    1.047028] Workqueue: usb_hub_wq hub_event
      [    1.047037] task: ffff88017a321c80 task.stack: ffff88017a384000
      [    1.047044] RIP: 0010:[<ffffffffb0953ec7>]  [<ffffffffb0953ec7>] usb_detect_quirks+0x88/0xd1
      
      To tackle this odd, let's balance the quirk_count to 0 when the kcalloc
      call fails, and defer the quirk setting into a lower level callback
      which ensures that the kernel memory management has been initialized.
      
      Fixes: 027bd6ca ("usb: core: Add "quirks" parameter for usbcore")
      Signed-off-by: default avatarHarry Pan <harry.pan@intel.com>
      Acked-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16c4cb19
    • Saranya Gopal's avatar
      usbcore: Select UAC3 configuration for audio if present · f13912d3
      Saranya Gopal authored
      USB audio class 3.0 specification introduced many significant
      changes like
       - new power domains, support for LPM/L1
       - new cluster descriptor
       - new high capability and class-specific string descriptors
       - BADD profiles
       - ... and many other things (check spec from link below:
      http://www.usb.org/developers/docs/devclass_docs/USB_Audio_v3.0.zip)
      
      Now that UAC3 is supported in linux, choose UAC3
      configuration for audio if the device supports it.
      Selecting this configuration will enable the system to
      save power by leveraging the new power domains and LPM L1
      capability and also support new codec types and data formats
      for consumer audio applications.
      Signed-off-by: default avatarSaranya Gopal <saranya.gopal@intel.com>
      Reviewed-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f13912d3
    • Alan Stern's avatar
      USB: handle NULL config in usb_find_alt_setting() · c9a4cb20
      Alan Stern authored
      usb_find_alt_setting() takes a pointer to a struct usb_host_config as
      an argument; it searches for an interface with specified interface and
      alternate setting numbers in that config.  However, it crashes if the
      usb_host_config pointer argument is NULL.
      
      Since this is a general-purpose routine, available for use in many
      places, we want to to be more robust.  This patch makes it return NULL
      whenever the config argument is NULL.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c9a4cb20
    • Alan Stern's avatar
      USB: fix error handling in usb_driver_claim_interface() · bd729f9d
      Alan Stern authored
      The syzbot fuzzing project found a use-after-free bug in the USB
      core.  The bug was caused by usbfs not unbinding from an interface
      when the USB device file was closed, which led another process to
      attempt the unbind later on, after the private data structure had been
      deallocated.
      
      The reason usbfs did not unbind the interface at the appropriate time
      was because it thought the interface had never been claimed in the
      first place.  This was caused by the fact that
      usb_driver_claim_interface() does not clean up properly when
      device_bind_driver() returns an error.  Although the error code gets
      passed back to the caller, the iface->dev.driver pointer remains set
      and iface->condition remains equal to USB_INTERFACE_BOUND.
      
      This patch adds proper error handling to usb_driver_claim_interface().
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd729f9d
    • Alan Stern's avatar
      USB: remove LPM management from usb_driver_claim_interface() · c183813f
      Alan Stern authored
      usb_driver_claim_interface() disables and re-enables Link Power
      Management, but it shouldn't do either one, for the reasons listed
      below.  This patch removes the two LPM-related function calls from the
      routine.
      
      The reason for disabling LPM in the analogous function
      usb_probe_interface() is so that drivers won't have to deal with
      unwanted LPM transitions in their probe routine.  But
      usb_driver_claim_interface() doesn't call the driver's probe routine
      (or any other callbacks), so that reason doesn't apply here.
      
      Furthermore, no driver other than usbfs will ever call
      usb_driver_claim_interface() unless it is already bound to another
      interface in the same device, which means disabling LPM here would be
      redundant.  usbfs doesn't interact with LPM at all.
      
      Lastly, the error return from usb_unlocked_disable_lpm() isn't handled
      properly; the code doesn't clean up its earlier actions before
      returning.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Fixes: 8306095f ("USB: Disable USB 3.0 LPM in critical sections.")
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c183813f
    • Oliver Neukum's avatar
      USB: usbdevfs: restore warning for nonsensical flags · 81e0403b
      Oliver Neukum authored
      If we filter flags before they reach the core we need to generate our
      own warnings.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Fixes: 0cb54a3e ("USB: debugging code shouldn't alter control flow")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81e0403b
    • Oliver Neukum's avatar
      USB: usbdevfs: sanitize flags more · 7a68d9fb
      Oliver Neukum authored
      Requesting a ZERO_PACKET or not is sensible only for output.
      In the input direction the device decides.
      Likewise accepting short packets makes sense only for input.
      
      This allows operation with panic_on_warn without opening up
      a local DOS.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com
      Fixes: 0cb54a3e ("USB: debugging code shouldn't alter control flow")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a68d9fb
  14. 11 Sep, 2018 1 commit
  15. 10 Sep, 2018 4 commits
  16. 05 Sep, 2018 4 commits
  17. 21 Jul, 2018 1 commit
  18. 06 Jul, 2018 1 commit
  19. 05 Jul, 2018 2 commits
  20. 28 Jun, 2018 1 commit