Clang static analysis reports this error
cdc-acm.c:409:3: warning: Use of memory after it is freed
acm_process_notification(acm, (unsigned char *)dr);
There are three problems, the first one is that dr is not reset
The variable dr is set with
if (acm->nb_index)
dr = (struct usb_cdc_notification *)acm->notification_buffer;
But if the notification_buffer is too small it is resized with
if (acm->nb_size) {
kfree(acm->notification_buffer);
acm->nb_size = 0;
}
alloc_size = roundup_pow_of_two(expected_size);
/*
* kmalloc ensures a valid notification_buffer after a
* use of kfree in case the previous allocation was too
* small. Final freeing is done on disconnect.
*/
acm->notification_buffer =
kmalloc(alloc_size, GFP_ATOMIC);
dr should point to the new acm->notification_buffer.
The second problem is any data in the notification_buffer is lost
when the pointer is freed. In the normal case, the current data
is accumulated in the notification_buffer here.
memcpy(&acm->notification_buffer[acm->nb_index],
urb->transfer_buffer, copy_size);
When a resize happens, anything before
notification_buffer[acm->nb_index] is garbage.
The third problem is the acm->nb_index is not reset on a
resizing buffer error.
So switch resizing to using krealloc and reassign dr and
reset nb_index.
Fixes: ea2583529c ("cdc-acm: reassemble fragmented notifications")
Signed-off-by: Tom Rix <trix@redhat.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20200801152154.20683-1-trix@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently dwc3 doesn't handle usb_request->zero for SG requests. This
change checks and prepares extra TRBs for the ZLP for SG requests.
Cc: <stable@vger.kernel.org> # v4.5+
Fixes: 04c03d10e5 ("usb: dwc3: gadget: handle request->zero")
Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
The usb_request->zero doesn't apply for isoc. Also, if we prepare a
0-length (ZLP) TRB for the OUT direction, we need to prepare an extra
TRB to pad up to the MPS alignment. Use the same bounce buffer for the
ZLP TRB and the extra pad TRB.
Cc: <stable@vger.kernel.org> # v4.5+
Fixes: d6e5a549cc ("usb: dwc3: simplify ZLP handling")
Fixes: 04c03d10e5 ("usb: dwc3: gadget: handle request->zero")
Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
The SG list may be set up with entry size more than the requested
length. Check the usb_request->length and make sure that we don't setup
the TRBs to send/receive more than requested. This case may occur when
the SG entry is allocated up to a certain minimum size, but the request
length is less than that. It can also occur when the request is reused
for a different request length.
Cc: <stable@vger.kernel.org> # v4.18+
Fixes: a31e63b608 ("usb: dwc3: gadget: Correct handling of scattergather lists")
Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
If a memory allocation fails within a 'usb_ep_alloc_request()' call, the
already allocated memory must be released.
Fix a mix-up in the code and free the correct requests.
Fixes: c52661d60f ("usb-gadget: Initial merge of target module for UASP + BOT")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Pull media updates from Mauro Carvalho Chehab:
- Legacy soc_camera driver was removed from staging
- New I2C sensor related drivers: dw9768, ch7322, max9271, rdacm20
- TI vpe driver code was re-organized and had new features added
- Added Xilinx MIPI CSI-2 Rx Subsystem driver
- Added support for Infrared Toy and IR Droid devices
- Lots of random driver fixes, new features and cleanups
* tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (318 commits)
media: camss: fix memory leaks on error handling paths in probe
media: davinci: vpif_capture: fix potential double free
media: radio: remove redundant assignment to variable retval
media: allegro: fix potential null dereference on header
media: mtk-mdp: Fix a refcounting bug on error in init
media: allegro: fix an error pointer vs NULL check
media: meye: fix missing pm_mchip_mode field
media: cafe-driver: use generic power management
media: saa7164: use generic power management
media: v4l2-dev/ioctl: Fix document for VIDIOC_QUERYCAP
media: v4l2: Correct kernel-doc inconsistency
media: v4l2: Correct kernel-doc inconsistency
media: dvbdev.h: keep * together with the type
media: v4l2-subdev.h: keep * together with the type
media: videobuf2: Print videobuf2 buffer state by name
media: colorspaces-details.rst: fix V4L2_COLORSPACE_JPEG description
media: tw68: use generic power management
media: meye: use generic power management
media: cx88: use generic power management
media: cx25821: use generic power management
...
Pull tty/serial updates from Greg KH:
"Here is the large set of TTY and Serial driver patches for 5.9-rc1.
Lots of bugfixes in here, thanks to syzbot fuzzing for serial and vt
and console code.
Other highlights include:
- much needed vt/vc code cleanup from Jiri Slaby
- 8250 driver fixes and additions
- various serial driver updates and feature enhancements
- locking cleanup for serial/console initializations
- other minor cleanups
All of these have been in linux-next with no reported issues"
* tag 'tty-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (90 commits)
MAINTAINERS: enlist Greg formally for console stuff
vgacon: Fix for missing check in scrollback handling
Revert "serial: 8250: Let serial core initialise spin lock"
serial: 8250: Let serial core initialise spin lock
tty: keyboard, do not speculate on func_table index
serial: stm32: Add RS485 RTS GPIO control
serial: 8250_dw: Fix common clocks usage race condition
serial: 8250_dw: Pass the same rate to the clk round and set rate methods
serial: 8250_dw: Simplify the ref clock rate setting procedure
serial: 8250: Add 8250 port clock update method
tty: serial: imx: add imx earlycon driver
tty: serial: imx: enable imx serial console port as module
tty/synclink: remove leftover bits of non-PCI card support
tty: Use the preferred form for passing the size of a structure type
tty: Fix identation issues in struct serial_struct32
tty: Avoid the use of one-element arrays
serial: msm_serial: add sparse context annotation
serial: pmac_zilog: add sparse context annotation
newport_con: vc_color is now in state
serial: imx: use hrtimers for rs485 delays
...
Pull USB/Thunderbolt updates from Greg KH:
"Here is the large set of USB and Thunderbolt patches for 5.9-rc1.
Nothing really magic/major in here, just lots of little changes and
updates:
- clean up language usages in USB core and some drivers
- Thunderbolt driver updates and additions
- USB Gadget driver updates
- dwc3 driver updates (like always...)
- build with "W=1" warning fixups
- mtu3 driver updates
- usb-serial driver updates and device ids
- typec additions and updates for new hardware
- xhci debug code updates for future platforms
- cdns3 driver updates
- lots of other minor driver updates and fixes and cleanups
All of these have been in linux-next for a while with no reported
issues"
* tag 'usb-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (330 commits)
usb: common: usb-conn-gpio: Register charger
usb: mtu3: simplify mtu3_req_complete()
usb: mtu3: clear dual mode of u3port when disable device
usb: mtu3: use MTU3_EP_WEDGE flag
usb: mtu3: remove useless member @busy in mtu3_ep struct
usb: mtu3: remove repeated error log
usb: mtu3: add ->udc_set_speed()
usb: mtu3: introduce a funtion to check maximum speed
usb: mtu3: clear interrupts status when disable interrupts
usb: mtu3: reinitialize CSR registers
usb: mtu3: fix macro for maximum number of packets
usb: mtu3: remove unnecessary pointer checks
usb: xhci: Fix ASMedia ASM1142 DMA addressing
usb: xhci: define IDs for various ASMedia host controllers
usb: musb: convert to devm_platform_ioremap_resource_byname
usb: gadget: tegra-xudc: convert to devm_platform_ioremap_resource_byname
usb: gadget: r8a66597: convert to devm_platform_ioremap_resource_byname
usb: dwc3: convert to devm_platform_ioremap_resource_byname
usb: cdns3: convert to devm_platform_ioremap_resource_byname
usb: phy: am335x: convert to devm_platform_ioremap_resource_byname
...
Pull tasklets API update from Kees Cook:
"These are the infrastructure updates needed to support converting the
tasklet API to something more modern (and hopefully for removal
further down the road).
There is a 300-patch series waiting in the wings to get set out to
subsystem maintainers, but these changes need to be present in the
kernel first. Since this has some treewide changes, I carried this
series for -next instead of paining Thomas with it in -tip, but it's
got his Ack.
This is similar to the timer_struct modernization from a while back,
but not nearly as messy (I hope). :)
- Prepare for tasklet API modernization (Romain Perier, Allen Pais,
Kees Cook)"
* tag 'tasklets-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
tasklet: Introduce new initialization API
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
usb: gadget: udc: Avoid tasklet passing a global
Pull ARM SoC updates from Arnd Bergmann:
"These are mostly cosmetic changes and minor bugfixes for the SoC
specific code, across the 32-bit at91, mvebu, davinci, samsung, and
omap platforms.
The main notable changes are for the Samsung Exynos platform, which
sees a rewrite of gpio handling and a change to restore and adds a
workaround for a problem with cpuidle support"
* tag 'arm-soc-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
MAINTAINERS: arm/amlogic: add designated reviewers
ARM: davinci: dm646x-evm: Simplify error handling in 'evm_sw_setup()'
ARM: davinci: Fix trivial spelling
ARM: davinci: Replace HTTP links with HTTPS ones
ARM: s3c24xx: Replace HTTP links with HTTPS ones
ARM: orion/gpio: Make use of for_each_requested_gpio()
ARM: at91: Replace HTTP links with HTTPS ones
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
ARM: rpc: Change blacklist to quirklist in ecode.c file
ARM: OMAP: Replace HTTP links with HTTPS ones
ARM: s3c24xx: leds: Convert to use GPIO descriptors
udc: lpc32xx: mark local function static
ARM: exynos: MCPM: Restore big.LITTLE cpuidle support
ARM: exynos: clear L310_AUX_CTRL_FULL_LINE_ZERO in default l2c_aux_val
This converts all the existing DECLARE_TASKLET() (and ...DISABLED)
macros with DECLARE_TASKLET_OLD() in preparation for refactoring the
tasklet callback type. All existing DECLARE_TASKLET() users had a "0"
data argument, it has been removed here as well.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
There's no reason for the tasklet callback to set an argument since it
always uses a global. Instead, use the global directly, in preparation
for converting the tasklet subsystem to modern callback conventions.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Register a power supply charger, whose online state depends on whether
the USB role is set to device or not.
This is useful when the USB role is the only way to know if the device
is charging from USB. The API is the standard power supply charger API,
you get a /sys/class/power_supply/xxx/online node which tells you the
state of the charger.
The sole purpose of this is to give userspace applications a way to
know whether or not the charger is plugged.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Link: https://lore.kernel.org/r/20200727170413.23131-1-paul@crapouillou.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The tcpm.c code for sending VDMs assumes that there will only be one VDM
in flight at the time. The "queue" used by tcpm_queue_vdm is only 1 entry
deep.
This assumes that the higher layers (tcpm state-machine and alt-mode
drivers) ensure that queuing a new VDM before the old one has been
completely send (or it timed out) add a WARN_ON to check for this.
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200724174702.61754-6-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When we receive a PD data packet which ends up being for the alt-mode
driver we have the following lock order:
1. tcpm_pd_rx_handler take the tcpm-port lock
2. We call into the alt-mode driver which takes the alt-mode's lock
And when the alt-mode driver initiates communication we have the following
lock order:
3. alt-mode driver takes the alt-mode's lock
4. alt-mode driver calls tcpm_altmode_enter which takes the tcpm-port lock
This is a classic AB BA lock inversion issue.
With the refactoring of tcpm_handle_vdm_request() done before this patch,
we don't rely on, or need to make changes to the tcpm-port data by the
time we make call 2. from above. All data to be passed to the alt-mode
driver sits on our stack at this point, and thus does not need locking.
So after the refactoring we can simply fix this by releasing the
tcpm-port lock before calling into the alt-mode driver.
This fixes the following lockdep warning:
[ 191.454238] ======================================================
[ 191.454240] WARNING: possible circular locking dependency detected
[ 191.454244] 5.8.0-rc5+ #1 Not tainted
[ 191.454246] ------------------------------------------------------
[ 191.454248] kworker/u8:5/794 is trying to acquire lock:
[ 191.454251] ffff9bac8e30d4a8 (&dp->lock){+.+.}-{3:3}, at: dp_altmode_vdm+0x30/0xf0 [typec_displayport]
[ 191.454263]
but task is already holding lock:
[ 191.454264] ffff9bac9dc240a0 (&port->lock#2){+.+.}-{3:3}, at: tcpm_pd_rx_handler+0x43/0x12c0 [tcpm]
[ 191.454273]
which lock already depends on the new lock.
[ 191.454275]
the existing dependency chain (in reverse order) is:
[ 191.454277]
-> #1 (&port->lock#2){+.+.}-{3:3}:
[ 191.454286] __mutex_lock+0x7b/0x820
[ 191.454290] tcpm_altmode_enter+0x23/0x90 [tcpm]
[ 191.454293] dp_altmode_work+0xca/0xe0 [typec_displayport]
[ 191.454299] process_one_work+0x23f/0x570
[ 191.454302] worker_thread+0x55/0x3c0
[ 191.454305] kthread+0x138/0x160
[ 191.454309] ret_from_fork+0x22/0x30
[ 191.454311]
-> #0 (&dp->lock){+.+.}-{3:3}:
[ 191.454317] __lock_acquire+0x1241/0x2090
[ 191.454320] lock_acquire+0xa4/0x3d0
[ 191.454323] __mutex_lock+0x7b/0x820
[ 191.454326] dp_altmode_vdm+0x30/0xf0 [typec_displayport]
[ 191.454330] tcpm_pd_rx_handler+0x11ae/0x12c0 [tcpm]
[ 191.454333] process_one_work+0x23f/0x570
[ 191.454336] worker_thread+0x55/0x3c0
[ 191.454338] kthread+0x138/0x160
[ 191.454341] ret_from_fork+0x22/0x30
[ 191.454343]
other info that might help us debug this:
[ 191.454345] Possible unsafe locking scenario:
[ 191.454347] CPU0 CPU1
[ 191.454348] ---- ----
[ 191.454350] lock(&port->lock#2);
[ 191.454353] lock(&dp->lock);
[ 191.454355] lock(&port->lock#2);
[ 191.454357] lock(&dp->lock);
[ 191.454360]
*** DEADLOCK ***
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200724174702.61754-5-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Refactor tcpm_handle_vdm_request and its tcpm_pd_svdm helper function so
that reporting the results of the vdm to the altmode-driver is separated
out into a clear separate step inside tcpm_handle_vdm_request, instead
of being scattered over various places inside the tcpm_pd_svdm helper.
This is a preparation patch for fixing an AB BA lock inversion between the
tcpm code and some altmode drivers.
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200724174702.61754-4-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Refactor the tcpm_handle_vdm_request payload handling by doing the
endianness conversion only once directly inside tcpm_handle_vdm_request
itself instead of doing it multiple times inside various helper functions
called by tcpm_handle_vdm_request.
This is a preparation patch for some further refactoring to fix an AB BA
lock inversion between the tcpm code and some altmode drivers.
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200724174702.61754-3-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter writes:
ENDIAN issue fix and one query controller role API is introduced.
* tag 'usb-ci-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb:
usb: chipidea: imx: get available runtime dr mode for wakeup setting
usb: chipidea: add query_available_role interface
Documentation: ABI: usb: chipidea: Update Li Jun's e-mail
usb: chipidea: udc: fix the ENDIAN issue
Johan writes:
USB-serial updates for 5.9-rc1
Here are the USB-serial updates for 5.9-rc1, including:
- console flow-control support
- simulated line-breaks on some ch341
- hardware flow-control fixes for cp210x
- break-detection and sysrq fixes for ftdi_sio
- sysrq optimisations
- input parity checking for cp210x
Included are also some new device ids and various clean ups.
All have been in linux-next with no reported issues.
* tag 'usb-serial-5.9-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: (31 commits)
USB: serial: qcserial: add EM7305 QDL product ID
USB: serial: iuu_phoenix: fix led-activity helpers
USB: serial: sierra: clean up special-interface handling
USB: serial: cp210x: use in-kernel types in port data
USB: serial: cp210x: drop unnecessary packed attributes
USB: serial: cp210x: add support for TIOCGICOUNT
USB: serial: cp210x: add support for line-status events
USB: serial: cp210x: disable interface on errors in open
USB: serial: drop redundant transfer-buffer casts
USB: serial: drop extern keyword from function declarations
USB: serial: drop unnecessary sysrq include
USB: serial: add sysrq break-handler dummy
USB: serial: inline sysrq dummy function
USB: serial: only process sysrq when enabled
USB: serial: only set sysrq timestamp for consoles
USB: serial: ftdi_sio: fix break and sysrq handling
USB: serial: ftdi_sio: clean up receive processing
USB: serial: ftdi_sio: make process-packet buffer unsigned
USB: serial: use fallthrough pseudo-keyword
USB: serial: ch341: fix missing simulated-break margin
...
The sparse tool complains as follows:
drivers/usb/host/xhci-dbgtty.c:401:5: warning:
symbol 'xhci_dbc_tty_register_device' was not declared. Should it be static?
drivers/usb/host/xhci-dbgtty.c:452:6: warning:
symbol 'xhci_dbc_tty_unregister_device' was not declared. Should it be static?
After commit 6ae6470bfa ("xhci: dbc: Add a operations structure
to access driver functions"), those functions are not used outside
of xhci-dbgtty.c, so this commit marks them static.
Fixes: 6ae6470bfa ("xhci: dbc: Add a operations structure to access driver functions")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Link: https://lore.kernel.org/r/20200727171149.3011-1-weiyongjun1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If runtime dr_mode is not dual-role, it doesn't need to enable ID
wakeup interrupt.
If runtime dr_mode is host, it doesn't need to enable VBUS
wakeup interrupt.
With these changes, the user will not get the unexpected wakeup
for single role use case. For example, the host-only use case at
Micro-AB port, the controller should not be waken up by only
plug in Micro-AB cable or the Micro-B cable with host.
Signed-off-by: Peter Chen <peter.chen@nxp.com>
The glue layer may need to know current available role to do some
setting, eg, the wakeup setting. So we add ci_hdrc_query_available_role
for that.
Signed-off-by: Peter Chen <peter.chen@nxp.com>
