<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/gadget, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>usb: gadget: f_hid: fix: Prevent accessing released memory</title>
<updated>2018-05-23T01:33:55+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>kopasiak90@gmail.com</email>
</author>
<published>2017-01-19T17:55:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1d0799a8ee6f577a003015d21a1b7b510da5cdf9'/>
<id>1d0799a8ee6f577a003015d21a1b7b510da5cdf9</id>
<content type='text'>
[ Upstream commit aa65d11aa008f4de58a9cee7e121666d9d68505e ]

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner &lt;david@lechnology.com&gt;
Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit aa65d11aa008f4de58a9cee7e121666d9d68505e ]

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner &lt;david@lechnology.com&gt;
Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: align buffer size when allocating for OUT endpoint</title>
<updated>2018-05-23T01:33:55+00:00</updated>
<author>
<name>Felipe F. Tonello</name>
<email>eu@felipetonello.com</email>
</author>
<published>2016-08-08T20:30:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9b20332e6fa4260071845ec8a40c9506171f81b9'/>
<id>9b20332e6fa4260071845ec8a40c9506171f81b9</id>
<content type='text'>
[ Upstream commit e0466156ee2e944fb47a3fa00932c3698a6d2c67 ]

Using usb_ep_align() makes sure that the buffer size for OUT endpoints is
always aligned with wMaxPacketSize (512 usually). This makes sure
that no buffer has the wrong size, which can cause nasty bugs.

Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e0466156ee2e944fb47a3fa00932c3698a6d2c67 ]

Using usb_ep_align() makes sure that the buffer size for OUT endpoints is
always aligned with wMaxPacketSize (512 usually). This makes sure
that no buffer has the wrong size, which can cause nasty bugs.

Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: change len to size_t on alloc_ep_req()</title>
<updated>2018-05-23T01:33:55+00:00</updated>
<author>
<name>Felipe F. Tonello</name>
<email>eu@felipetonello.com</email>
</author>
<published>2016-08-08T20:30:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=deea56aad578ab5a9c00c8c25fec483d32e6e7cc'/>
<id>deea56aad578ab5a9c00c8c25fec483d32e6e7cc</id>
<content type='text'>
[ Upstream commit 69bb99738b5c6d56d2b1a75db9cbb4d187453c1a ]

Length of buffers should be of type size_t whenever possible. Altough
recommended, this change has no real practical change, unless a driver has a
uses a huge or negative buffer size - it might help find these bugs.

Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 69bb99738b5c6d56d2b1a75db9cbb4d187453c1a ]

Length of buffers should be of type size_t whenever possible. Altough
recommended, this change has no real practical change, unless a driver has a
uses a huge or negative buffer size - it might help find these bugs.

Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: define free_ep_req as universal function</title>
<updated>2018-05-23T01:33:55+00:00</updated>
<author>
<name>Felipe F. Tonello</name>
<email>eu@felipetonello.com</email>
</author>
<published>2015-11-10T17:52:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7490317aa978a85a82183d0a6ea97c05c76e659e'/>
<id>7490317aa978a85a82183d0a6ea97c05c76e659e</id>
<content type='text'>
[ Upstream commit 079fe5a6da616891cca1a26e803e1df2a87e9ae5 ]

This function is shared between gadget functions, so this avoid unnecessary
duplicated code and potentially avoid memory leaks.

Reviewed-by: Robert Baldyga &lt;r.baldyga@samsung.com&gt;
Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 079fe5a6da616891cca1a26e803e1df2a87e9ae5 ]

This function is shared between gadget functions, so this avoid unnecessary
duplicated code and potentially avoid memory leaks.

Reviewed-by: Robert Baldyga &lt;r.baldyga@samsung.com&gt;
Signed-off-by: Felipe F. Tonello &lt;eu@felipetonello.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: bdc: 64-bit pointer capability check</title>
<updated>2018-05-23T01:33:48+00:00</updated>
<author>
<name>Srinath Mannam</name>
<email>srinath.mannam@broadcom.com</email>
</author>
<published>2017-06-15T09:09:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2e2c502b16f40d2c6d4a0aa5f9ecedbf2d5895f7'/>
<id>2e2c502b16f40d2c6d4a0aa5f9ecedbf2d5895f7</id>
<content type='text'>
[ Upstream commit c8e4e5bdb62a5ac6f860ebcaaf7b467b62f453f1 ]

Corrected the register to check the 64-bit pointer
capability state. 64-bit pointer implementation capability
was checking in wrong register, which causes the BDC
enumeration failure in 64-bit memory address.

Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for
Broadcom USB3.0 device controller IP BDC")

Reviewed-by: Florian Fainelli &lt;f.fainelli@gmail.com&gt;
Signed-off-by: Srinath Mannam &lt;srinath.mannam@broadcom.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c8e4e5bdb62a5ac6f860ebcaaf7b467b62f453f1 ]

Corrected the register to check the 64-bit pointer
capability state. 64-bit pointer implementation capability
was checking in wrong register, which causes the BDC
enumeration failure in 64-bit memory address.

Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for
Broadcom USB3.0 device controller IP BDC")

Reviewed-by: Florian Fainelli &lt;f.fainelli@gmail.com&gt;
Signed-off-by: Srinath Mannam &lt;srinath.mannam@broadcom.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe()</title>
<updated>2018-05-23T01:33:48+00:00</updated>
<author>
<name>Wei Yongjun</name>
<email>weiyongjun1@huawei.com</email>
</author>
<published>2018-01-23T09:35:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e3d0bbef56a2e082dc9e0259b67967d0a0ba5acd'/>
<id>e3d0bbef56a2e082dc9e0259b67967d0a0ba5acd</id>
<content type='text'>
[ Upstream commit 8874ae5f15f3feef3b4a415b9aed51edcf449aa1 ]

Add the missing platform_device_put() before return from bdc_pci_probe()
in the platform_device_add_resources() error handling case.

Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC")
Signed-off-by: Wei Yongjun &lt;weiyongjun1@huawei.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8874ae5f15f3feef3b4a415b9aed51edcf449aa1 ]

Add the missing platform_device_put() before return from bdc_pci_probe()
in the platform_device_add_resources() error handling case.

Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC")
Signed-off-by: Wei Yongjun &lt;weiyongjun1@huawei.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control()</title>
<updated>2018-05-23T01:33:45+00:00</updated>
<author>
<name>Yuyang Du</name>
<email>yuyang.du@intel.com</email>
</author>
<published>2017-03-23T20:06:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8ca8c0877c596a268dd7d1a96fd97d4abd61f831'/>
<id>8ca8c0877c596a268dd7d1a96fd97d4abd61f831</id>
<content type='text'>
[ Upstream commit 9f20dfb44d03745d0d3cef2ffb3abf8d8024fa61 ]

This fixes the commit: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add
SuperSpeed support").

In the case of ClearPortFeature and USB_PORT_FEAT_POWER, simply clear
the right bit regardless of what the wValue is.

Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Yuyang Du &lt;yuyang.du@intel.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9f20dfb44d03745d0d3cef2ffb3abf8d8024fa61 ]

This fixes the commit: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add
SuperSpeed support").

In the case of ClearPortFeature and USB_PORT_FEAT_POWER, simply clear
the right bit regardless of what the wValue is.

Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Yuyang Du &lt;yuyang.du@intel.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()</title>
<updated>2018-03-21T03:49:54+00:00</updated>
<author>
<name>Xinyong</name>
<email>xinyong.fang@linux.alibaba.com</email>
</author>
<published>2018-03-02T11:20:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f642176da2177e68e1cfdb89d5cb62d255eb53b4'/>
<id>f642176da2177e68e1cfdb89d5cb62d255eb53b4</id>
<content type='text'>
[ Upstream commit 1a087f032111a88e826877449dfb93ceb22b78b9 ]

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1a087f032111a88e826877449dfb93ceb22b78b9 ]

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;

Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Process all descriptors during bind</title>
<updated>2018-03-04T15:28:34+00:00</updated>
<author>
<name>Jack Pham</name>
<email>jackp@codeaurora.org</email>
</author>
<published>2018-01-24T08:11:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b177a6a134847538b78c12fffb49afe2f8335be0'/>
<id>b177a6a134847538b78c12fffb49afe2f8335be0</id>
<content type='text'>
[ Upstream commit 6cf439e0d37463e42784271179c8a308fd7493c6 ]

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6cf439e0d37463e42784271179c8a308fd7493c6 ]

During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: f_fs: Prevent gadget unbind if it is already unbound</title>
<updated>2018-03-01T03:09:47+00:00</updated>
<author>
<name>Hemant Kumar</name>
<email>hemantk@codeaurora.org</email>
</author>
<published>2018-01-09T07:00:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1f4ac76de1ff4b79c6ef51a1c1d909c54289ff61'/>
<id>1f4ac76de1ff4b79c6ef51a1c1d909c54289ff61</id>
<content type='text'>
[ Upstream commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a ]

Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a ]

Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
