<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb, branch v4.9.69</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver</title>
<updated>2017-12-14T08:28:18+00:00</updated>
<author>
<name>Raz Manor</name>
<email>Raz.Manor@valens.com</email>
</author>
<published>2017-02-09T07:41:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2afb2d892c1d54e560c0dc047919bff6129baa1a'/>
<id>2afb2d892c1d54e560c0dc047919bff6129baa1a</id>
<content type='text'>
[ Upstream commit ef5e2fa9f65befa12f1113c734602d2c1964d2a5 ]

In the function scan_dma_completions() there is a reusage of tmp
variable. That coused a wrong value being used in some case when
reading a short packet terminated transaction from an endpoint,
in 2 concecutive reads.

This was my logic for the patch:

The req-&gt;td-&gt;dmadesc equals to 0 iff:
-- There was a transaction ending with a short packet, and
-- The read() to read it was shorter than the transaction length, and
-- The read() to complete it is longer than the residue.
I believe this is true from the printouts of various cases,
but I can't be positive it is correct.

Entering this if, there should be no more data in the endpoint
(a short packet terminated the transaction).
If there is, the transaction wasn't really done and we should exit and
wait for it to finish entirely. That is the inner if.
That inner if should never happen, but it is there to be on the safe
side. That is why it is marked with the comment /* paranoia */.
The size of the data available in the endpoint is ep-&gt;dma-&gt;dmacount
and it is read to tmp.
This entire clause is based on my own educated guesses.

If we passed that inner if without breaking in the original code,
than tmp &amp; DMA_BYTE_MASK_COUNT== 0.
That means we will always pass dma bytes count of 0 to dma_done(),
meaning all the requested bytes were read.

dma_done() reports back to the upper layer that the request (read())
was done and how many bytes were read.
In the original code that would always be the request size,
regardless of the actual size of the data.
That did not make sense to me at all.

However, the original value of tmp is req-&gt;td-&gt;dmacount,
which is the dmacount value when the request's dma transaction was
finished. And that is a much more reasonable value to report back to
the caller.

To recreate the problem:
Read from a bulk out endpoint in a loop, 1024 * n bytes in each
iteration.
Connect the PLX to a host you can control.
Send to that endpoint 1024 * n + x bytes,
such that 0 &lt; x &lt; 1024 * n and (x % 1024) != 0
You would expect the first read() to return 1024 * n
and the second read() to return x.
But you will get the first read to return 1024 * n
and the second one to return 1024 * n.
That is true for every positive integer n.

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: linux-usb@vger.kernel.org
Signed-off-by: Raz Manor &lt;Raz.Manor@valens.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ef5e2fa9f65befa12f1113c734602d2c1964d2a5 ]

In the function scan_dma_completions() there is a reusage of tmp
variable. That coused a wrong value being used in some case when
reading a short packet terminated transaction from an endpoint,
in 2 concecutive reads.

This was my logic for the patch:

The req-&gt;td-&gt;dmadesc equals to 0 iff:
-- There was a transaction ending with a short packet, and
-- The read() to read it was shorter than the transaction length, and
-- The read() to complete it is longer than the residue.
I believe this is true from the printouts of various cases,
but I can't be positive it is correct.

Entering this if, there should be no more data in the endpoint
(a short packet terminated the transaction).
If there is, the transaction wasn't really done and we should exit and
wait for it to finish entirely. That is the inner if.
That inner if should never happen, but it is there to be on the safe
side. That is why it is marked with the comment /* paranoia */.
The size of the data available in the endpoint is ep-&gt;dma-&gt;dmacount
and it is read to tmp.
This entire clause is based on my own educated guesses.

If we passed that inner if without breaking in the original code,
than tmp &amp; DMA_BYTE_MASK_COUNT== 0.
That means we will always pass dma bytes count of 0 to dma_done(),
meaning all the requested bytes were read.

dma_done() reports back to the upper layer that the request (read())
was done and how many bytes were read.
In the original code that would always be the request size,
regardless of the actual size of the data.
That did not make sense to me at all.

However, the original value of tmp is req-&gt;td-&gt;dmacount,
which is the dmacount value when the request's dma transaction was
finished. And that is a much more reasonable value to report back to
the caller.

To recreate the problem:
Read from a bulk out endpoint in a loop, 1024 * n bytes in each
iteration.
Connect the PLX to a host you can control.
Send to that endpoint 1024 * n + x bytes,
such that 0 &lt; x &lt; 1024 * n and (x % 1024) != 0
You would expect the first read() to return 1024 * n
and the second read() to return x.
But you will get the first read to return 1024 * n
and the second one to return 1024 * n.
That is true for every positive integer n.

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: linux-usb@vger.kernel.org
Signed-off-by: Raz Manor &lt;Raz.Manor@valens.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: pxa27x: Test for a valid argument pointer</title>
<updated>2017-12-14T08:28:18+00:00</updated>
<author>
<name>Petr Cvek</name>
<email>petr.cvek@tul.cz</email>
</author>
<published>2017-02-24T01:54:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=82f79a4423fc5f4ab16acb0170aeb06222e1c13b'/>
<id>82f79a4423fc5f4ab16acb0170aeb06222e1c13b</id>
<content type='text'>
[ Upstream commit df7545719a14fa7b481896fb8689e23d0a00f682 ]

A call usb_put_phy(udc-&gt;transceiver) must be tested for a valid pointer.
Use an already existing test for usb_unregister_notifier call.

Acked-by: Robert Jarzmik &lt;robert.jarzmik@free.fr&gt;
Reported-by: Robert Jarzmik &lt;robert.jarzmik@free.fr&gt;
Signed-off-by: Petr Cvek &lt;petr.cvek@tul.cz&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit df7545719a14fa7b481896fb8689e23d0a00f682 ]

A call usb_put_phy(udc-&gt;transceiver) must be tested for a valid pointer.
Use an already existing test for usb_unregister_notifier call.

Acked-by: Robert Jarzmik &lt;robert.jarzmik@free.fr&gt;
Reported-by: Robert Jarzmik &lt;robert.jarzmik@free.fr&gt;
Signed-off-by: Petr Cvek &lt;petr.cvek@tul.cz&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: dwc3: gadget: Fix system suspend/resume on TI platforms</title>
<updated>2017-12-14T08:28:18+00:00</updated>
<author>
<name>Roger Quadros</name>
<email>rogerq@ti.com</email>
</author>
<published>2017-02-15T12:16:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7abf66d78e89800eb3a5759bf7592b6e53721c20'/>
<id>7abf66d78e89800eb3a5759bf7592b6e53721c20</id>
<content type='text'>
[ Upstream commit 1551e35ea4189c1f7199fe278395fc94196715f2 ]

On TI platforms (dra7, am437x), the DWC3_DSTS_DEVCTRLHLT bit is not set
after the device controller is stopped via DWC3_DCTL_RUN_STOP.

If we don't disconnect and stop the gadget, it stops working after a
system resume with the trace below.

There is no point in preventing gadget disconnect and gadget stop during
system suspend/resume as we're going to suspend in any case, whether
DEVCTRLHLT timed out or not.

[  141.727480] ------------[ cut here ]------------
[  141.732349] WARNING: CPU: 1 PID: 2135 at drivers/usb/dwc3/gadget.c:2384 dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3]
[  141.744299] Modules linked in: usb_f_ss_lb g_zero libcomposite xhci_plat_hcd xhci_hcd usbcore dwc3 evdev udc_core m25p80 usb_common spi_nor snd_soc_davinci_mcasp snd_soc_simple_card snd_soc_edma snd_soc_tlv3e
[  141.792163] CPU: 1 PID: 2135 Comm: irq/456-dwc3 Not tainted 4.10.0-rc8 #1138
[  141.799547] Hardware name: Generic DRA74X (Flattened Device Tree)
[  141.805940] [&lt;c01101b4&gt;] (unwind_backtrace) from [&lt;c010c31c&gt;] (show_stack+0x10/0x14)
[  141.814066] [&lt;c010c31c&gt;] (show_stack) from [&lt;c04a0918&gt;] (dump_stack+0xac/0xe0)
[  141.821648] [&lt;c04a0918&gt;] (dump_stack) from [&lt;c013708c&gt;] (__warn+0xd8/0x104)
[  141.828955] [&lt;c013708c&gt;] (__warn) from [&lt;c0137164&gt;] (warn_slowpath_null+0x20/0x28)
[  141.836902] [&lt;c0137164&gt;] (warn_slowpath_null) from [&lt;bf27784c&gt;] (dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3])
[  141.848329] [&lt;bf27784c&gt;] (dwc3_stop_active_transfer.constprop.4 [dwc3]) from [&lt;bf27ab14&gt;] (__dwc3_gadget_ep_disable+0x64/0x528 [dwc3])
[  141.861034] [&lt;bf27ab14&gt;] (__dwc3_gadget_ep_disable [dwc3]) from [&lt;bf27c27c&gt;] (dwc3_gadget_ep_disable+0x3c/0xc8 [dwc3])
[  141.872280] [&lt;bf27c27c&gt;] (dwc3_gadget_ep_disable [dwc3]) from [&lt;bf23b428&gt;] (usb_ep_disable+0x11c/0x18c [udc_core])
[  141.883160] [&lt;bf23b428&gt;] (usb_ep_disable [udc_core]) from [&lt;bf342774&gt;] (disable_ep+0x18/0x54 [usb_f_ss_lb])
[  141.893408] [&lt;bf342774&gt;] (disable_ep [usb_f_ss_lb]) from [&lt;bf3437b0&gt;] (disable_endpoints+0x18/0x50 [usb_f_ss_lb])
[  141.904168] [&lt;bf3437b0&gt;] (disable_endpoints [usb_f_ss_lb]) from [&lt;bf343814&gt;] (disable_source_sink+0x2c/0x34 [usb_f_ss_lb])
[  141.915771] [&lt;bf343814&gt;] (disable_source_sink [usb_f_ss_lb]) from [&lt;bf329a9c&gt;] (reset_config+0x48/0x7c [libcomposite])
[  141.927012] [&lt;bf329a9c&gt;] (reset_config [libcomposite]) from [&lt;bf329afc&gt;] (composite_disconnect+0x2c/0x54 [libcomposite])
[  141.938444] [&lt;bf329afc&gt;] (composite_disconnect [libcomposite]) from [&lt;bf23d7dc&gt;] (usb_gadget_udc_reset+0x10/0x34 [udc_core])
[  141.950237] [&lt;bf23d7dc&gt;] (usb_gadget_udc_reset [udc_core]) from [&lt;bf276d70&gt;] (dwc3_gadget_reset_interrupt+0x64/0x698 [dwc3])
[  141.962022] [&lt;bf276d70&gt;] (dwc3_gadget_reset_interrupt [dwc3]) from [&lt;bf27952c&gt;] (dwc3_thread_interrupt+0x618/0x1a3c [dwc3])
[  141.973723] [&lt;bf27952c&gt;] (dwc3_thread_interrupt [dwc3]) from [&lt;c01a7ce8&gt;] (irq_thread_fn+0x1c/0x54)
[  141.983215] [&lt;c01a7ce8&gt;] (irq_thread_fn) from [&lt;c01a7fbc&gt;] (irq_thread+0x120/0x1f0)
[  141.991247] [&lt;c01a7fbc&gt;] (irq_thread) from [&lt;c015ba14&gt;] (kthread+0xf8/0x138)
[  141.998641] [&lt;c015ba14&gt;] (kthread) from [&lt;c01078f0&gt;] (ret_from_fork+0x14/0x24)
[  142.006213] ---[ end trace b4ecfe9f175b9a9c ]---

Signed-off-by: Roger Quadros &lt;rogerq@ti.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1551e35ea4189c1f7199fe278395fc94196715f2 ]

On TI platforms (dra7, am437x), the DWC3_DSTS_DEVCTRLHLT bit is not set
after the device controller is stopped via DWC3_DCTL_RUN_STOP.

If we don't disconnect and stop the gadget, it stops working after a
system resume with the trace below.

There is no point in preventing gadget disconnect and gadget stop during
system suspend/resume as we're going to suspend in any case, whether
DEVCTRLHLT timed out or not.

[  141.727480] ------------[ cut here ]------------
[  141.732349] WARNING: CPU: 1 PID: 2135 at drivers/usb/dwc3/gadget.c:2384 dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3]
[  141.744299] Modules linked in: usb_f_ss_lb g_zero libcomposite xhci_plat_hcd xhci_hcd usbcore dwc3 evdev udc_core m25p80 usb_common spi_nor snd_soc_davinci_mcasp snd_soc_simple_card snd_soc_edma snd_soc_tlv3e
[  141.792163] CPU: 1 PID: 2135 Comm: irq/456-dwc3 Not tainted 4.10.0-rc8 #1138
[  141.799547] Hardware name: Generic DRA74X (Flattened Device Tree)
[  141.805940] [&lt;c01101b4&gt;] (unwind_backtrace) from [&lt;c010c31c&gt;] (show_stack+0x10/0x14)
[  141.814066] [&lt;c010c31c&gt;] (show_stack) from [&lt;c04a0918&gt;] (dump_stack+0xac/0xe0)
[  141.821648] [&lt;c04a0918&gt;] (dump_stack) from [&lt;c013708c&gt;] (__warn+0xd8/0x104)
[  141.828955] [&lt;c013708c&gt;] (__warn) from [&lt;c0137164&gt;] (warn_slowpath_null+0x20/0x28)
[  141.836902] [&lt;c0137164&gt;] (warn_slowpath_null) from [&lt;bf27784c&gt;] (dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3])
[  141.848329] [&lt;bf27784c&gt;] (dwc3_stop_active_transfer.constprop.4 [dwc3]) from [&lt;bf27ab14&gt;] (__dwc3_gadget_ep_disable+0x64/0x528 [dwc3])
[  141.861034] [&lt;bf27ab14&gt;] (__dwc3_gadget_ep_disable [dwc3]) from [&lt;bf27c27c&gt;] (dwc3_gadget_ep_disable+0x3c/0xc8 [dwc3])
[  141.872280] [&lt;bf27c27c&gt;] (dwc3_gadget_ep_disable [dwc3]) from [&lt;bf23b428&gt;] (usb_ep_disable+0x11c/0x18c [udc_core])
[  141.883160] [&lt;bf23b428&gt;] (usb_ep_disable [udc_core]) from [&lt;bf342774&gt;] (disable_ep+0x18/0x54 [usb_f_ss_lb])
[  141.893408] [&lt;bf342774&gt;] (disable_ep [usb_f_ss_lb]) from [&lt;bf3437b0&gt;] (disable_endpoints+0x18/0x50 [usb_f_ss_lb])
[  141.904168] [&lt;bf3437b0&gt;] (disable_endpoints [usb_f_ss_lb]) from [&lt;bf343814&gt;] (disable_source_sink+0x2c/0x34 [usb_f_ss_lb])
[  141.915771] [&lt;bf343814&gt;] (disable_source_sink [usb_f_ss_lb]) from [&lt;bf329a9c&gt;] (reset_config+0x48/0x7c [libcomposite])
[  141.927012] [&lt;bf329a9c&gt;] (reset_config [libcomposite]) from [&lt;bf329afc&gt;] (composite_disconnect+0x2c/0x54 [libcomposite])
[  141.938444] [&lt;bf329afc&gt;] (composite_disconnect [libcomposite]) from [&lt;bf23d7dc&gt;] (usb_gadget_udc_reset+0x10/0x34 [udc_core])
[  141.950237] [&lt;bf23d7dc&gt;] (usb_gadget_udc_reset [udc_core]) from [&lt;bf276d70&gt;] (dwc3_gadget_reset_interrupt+0x64/0x698 [dwc3])
[  141.962022] [&lt;bf276d70&gt;] (dwc3_gadget_reset_interrupt [dwc3]) from [&lt;bf27952c&gt;] (dwc3_thread_interrupt+0x618/0x1a3c [dwc3])
[  141.973723] [&lt;bf27952c&gt;] (dwc3_thread_interrupt [dwc3]) from [&lt;c01a7ce8&gt;] (irq_thread_fn+0x1c/0x54)
[  141.983215] [&lt;c01a7ce8&gt;] (irq_thread_fn) from [&lt;c01a7fbc&gt;] (irq_thread+0x120/0x1f0)
[  141.991247] [&lt;c01a7fbc&gt;] (irq_thread) from [&lt;c015ba14&gt;] (kthread+0xf8/0x138)
[  141.998641] [&lt;c015ba14&gt;] (kthread) from [&lt;c01078f0&gt;] (ret_from_fork+0x14/0x24)
[  142.006213] ---[ end trace b4ecfe9f175b9a9c ]---

Signed-off-by: Roger Quadros &lt;rogerq@ti.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: gadgetfs: Fix a potential memory leak in 'dev_config()'</title>
<updated>2017-12-14T08:28:18+00:00</updated>
<author>
<name>Christophe JAILLET</name>
<email>christophe.jaillet@wanadoo.fr</email>
</author>
<published>2017-02-21T21:33:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8fe9ea81b1e9b8ad1b7b53a8c4295e4f4c47464d'/>
<id>8fe9ea81b1e9b8ad1b7b53a8c4295e4f4c47464d</id>
<content type='text'>
[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ]

'kbuf' is allocated just a few lines above using 'memdup_user()'.
If the 'if (dev-&gt;buf)' test fails, this memory is never released.

Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ]

'kbuf' is allocated just a few lines above using 'memdup_user()'.
If the 'if (dev-&gt;buf)' test fails, this memory is never released.

Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: configs: plug memory leak</title>
<updated>2017-12-14T08:28:18+00:00</updated>
<author>
<name>John Keeping</name>
<email>john@metanate.com</email>
</author>
<published>2017-02-28T10:55:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59682e70c98054eb8f97e3670625992a0c85d24e'/>
<id>59682e70c98054eb8f97e3670625992a0c85d24e</id>
<content type='text'>
[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ]

When binding a gadget to a device, "name" is stored in gi-&gt;udc_name, but
this does not happen when unregistering and the string is leaked.

Signed-off-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ]

When binding a gadget to a device, "name" is stored in gi-&gt;udc_name, but
this does not happen when unregistering and the string is leaked.

Signed-off-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT</title>
<updated>2017-12-14T08:28:15+00:00</updated>
<author>
<name>John Keeping</name>
<email>john@metanate.com</email>
</author>
<published>2017-11-27T18:15:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=112b8a8f558de4004c2a0f7a6d04aba3520fd4ff'/>
<id>112b8a8f558de4004c2a0f7a6d04aba3520fd4ff</id>
<content type='text'>
commit a3acc696085e112733d191a77b106e67a4fa110b upstream.

The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT
must have the value "1", but when this feature was first implemented we
rejected any non-zero values.

This was adjusted to accept all non-zero values (while now rejecting
zero) in commit 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on
reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace
programs that worked previously by returning EINVAL when Reserved1 == 0
which was previously the only value that succeeded!

If we just set the field to "1" ourselves, both old and new userspace
programs continue to work correctly and, as a bonus, old programs are
now compliant with the specification without having to fix anything
themselves.

Fixes: 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT")
Signed-off-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a3acc696085e112733d191a77b106e67a4fa110b upstream.

The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT
must have the value "1", but when this feature was first implemented we
rejected any non-zero values.

This was adjusted to accept all non-zero values (while now rejecting
zero) in commit 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on
reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace
programs that worked previously by returning EINVAL when Reserved1 == 0
which was previously the only value that succeeded!

If we just set the field to "1" ourselves, both old and new userspace
programs continue to work correctly and, as a bonus, old programs are
now compliant with the specification without having to fix anything
themselves.

Fixes: 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT")
Signed-off-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: udc: renesas_usb3: fix number of the pipes</title>
<updated>2017-12-14T08:28:09+00:00</updated>
<author>
<name>Yoshihiro Shimoda</name>
<email>yoshihiro.shimoda.uh@renesas.com</email>
</author>
<published>2017-11-13T08:59:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fbe9a14180d6a57badfbca5986b1539db330a554'/>
<id>fbe9a14180d6a57badfbca5986b1539db330a554</id>
<content type='text'>
commit a58204ab91ad8cae4d8474aa0ba5d1fc504860c9 upstream.

This controller on R-Car Gen3 has 6 pipes that included PIPE 0 for
control actually. But, the datasheet has error in writing as it has
31 pipes. (However, the previous code defined 30 pipes wrongly...)

Anyway, this patch fixes it.

Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Signed-off-by: Yoshihiro Shimoda &lt;yoshihiro.shimoda.uh@renesas.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a58204ab91ad8cae4d8474aa0ba5d1fc504860c9 upstream.

This controller on R-Car Gen3 has 6 pipes that included PIPE 0 for
control actually. But, the datasheet has error in writing as it has
31 pipes. (However, the previous code defined 30 pipes wrongly...)

Anyway, this patch fixes it.

Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Signed-off-by: Yoshihiro Shimoda &lt;yoshihiro.shimoda.uh@renesas.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: host: fix incorrect updating of offset</title>
<updated>2017-12-09T21:01:57+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2017-11-07T16:45:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=08dd03812e8b1dba97eb00092a8cfbe8a7ebc13c'/>
<id>08dd03812e8b1dba97eb00092a8cfbe8a7ebc13c</id>
<content type='text'>
commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream.

The variable temp is incorrectly being updated, instead it should
be offset otherwise the loop just reads the same capability value
and loops forever.  Thanks to Alan Stern for pointing out the
correct fix to my original fix.  Fix also cleans up clang warning:

drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp'
is never read

Fixes: d49d43174400 ("USB: misc ehci updates")
Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream.

The variable temp is incorrectly being updated, instead it should
be offset otherwise the loop just reads the same capability value
and loops forever.  Thanks to Alan Stern for pointing out the
correct fix to my original fix.  Fix also cleans up clang warning:

drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp'
is never read

Fixes: d49d43174400 ("USB: misc ehci updates")
Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: usbfs: Filter flags passed in from user space</title>
<updated>2017-12-09T21:01:57+00:00</updated>
<author>
<name>Oliver Neukum</name>
<email>oneukum@suse.com</email>
</author>
<published>2017-11-23T15:39:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=20c315ebabc5a63b0bb169ddd60455ee0b70633e'/>
<id>20c315ebabc5a63b0bb169ddd60455ee0b70633e</id>
<content type='text'>
commit 446f666da9f019ce2ffd03800995487e79a91462 upstream.

USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
Improve sanity checking.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Oliver Neukum &lt;oneukum@suse.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 446f666da9f019ce2ffd03800995487e79a91462 upstream.

USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
Improve sanity checking.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Oliver Neukum &lt;oneukum@suse.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: devio: Prevent integer overflow in proc_do_submiturb()</title>
<updated>2017-12-09T21:01:57+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-09-22T20:43:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=545c10375330c9212227a6a7efd84f49ccd6c9b2'/>
<id>545c10375330c9212227a6a7efd84f49ccd6c9b2</id>
<content type='text'>
commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream.

There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb-&gt;buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb-&gt;buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb-&gt;buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.

Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream.

There used to be an integer overflow check in proc_do_submiturb() but
we removed it.  It turns out that it's still required.  The
uurb-&gt;buffer_length variable is a signed integer and it's controlled by
the user.  It can lead to an integer overflow when we do:

	num_sgs = DIV_ROUND_UP(uurb-&gt;buffer_length, USB_SG_SIZE);

If we strip away the macro then that line looks like this:

	num_sgs = (uurb-&gt;buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE;
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's the first addition which can overflow.

Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
