[RESEND PATCH] phy: phy-mtk-tphy: add set_mode callback

[Chunfeng Yun]

This is used to force PHY with USB OTG function to enter a specific
mode, and override OTG IDPIN(or IDDIG) signal.

Signed-off-by: Chunfeng Yun 
---
 drivers/phy/mediatek/phy-mtk-tphy.c |   39 +++
 1 file changed, 39 insertions(+)

diff --git a/drivers/phy/mediatek/phy-mtk-tphy.c 
b/drivers/phy/mediatek/phy-mtk-tphy.c
index 721a2a1..402385f 100644
--- a/drivers/phy/mediatek/phy-mtk-tphy.c
+++ b/drivers/phy/mediatek/phy-mtk-tphy.c
@@ -96,9 +96,11 @@
 
 #define U3P_U2PHYDTM1  0x06C
 #define P2C_RG_UART_EN BIT(16)
+#define P2C_FORCE_IDDIGBIT(9)
 #define P2C_RG_VBUSVALID   BIT(5)
 #define P2C_RG_SESSEND BIT(4)
 #define P2C_RG_AVALID  BIT(2)
+#define P2C_RG_IDDIG   BIT(1)
 
 #define U3P_U3_CHIP_GPIO_CTLD  0x0c
 #define P3C_REG_IP_SW_RST  BIT(31)
@@ -585,6 +587,31 @@ static void u2_phy_instance_exit(struct mtk_tphy *tphy,
}
 }
 
+static void u2_phy_instance_set_mode(struct mtk_tphy *tphy,
+struct mtk_phy_instance *instance,
+enum phy_mode mode)
+{
+   struct u2phy_banks *u2_banks = >u2_banks;
+   u32 tmp;
+
+   tmp = readl(u2_banks->com + U3P_U2PHYDTM1);
+   switch (mode) {
+   case PHY_MODE_USB_DEVICE:
+   tmp |= P2C_FORCE_IDDIG | P2C_RG_IDDIG;
+   break;
+   case PHY_MODE_USB_HOST:
+   tmp |= P2C_FORCE_IDDIG;
+   tmp &= ~P2C_RG_IDDIG;
+   break;
+   case PHY_MODE_USB_OTG:
+   tmp &= ~(P2C_FORCE_IDDIG | P2C_RG_IDDIG);
+   break;
+   default:
+   return;
+   }
+   writel(tmp, u2_banks->com + U3P_U2PHYDTM1);
+}
+
 static void pcie_phy_instance_init(struct mtk_tphy *tphy,
struct mtk_phy_instance *instance)
 {
@@ -881,6 +908,17 @@ static int mtk_phy_exit(struct phy *phy)
return 0;
 }
 
+static int mtk_phy_set_mode(struct phy *phy, enum phy_mode mode)
+{
+   struct mtk_phy_instance *instance = phy_get_drvdata(phy);
+   struct mtk_tphy *tphy = dev_get_drvdata(phy->dev.parent);
+
+   if (instance->type == PHY_TYPE_USB2)
+   u2_phy_instance_set_mode(tphy, instance, mode);
+
+   return 0;
+}
+
 static struct phy *mtk_phy_xlate(struct device *dev,
struct of_phandle_args *args)
 {
@@ -931,6 +969,7 @@ static struct phy *mtk_phy_xlate(struct device *dev,
.exit   = mtk_phy_exit,
.power_on   = mtk_phy_power_on,
.power_off  = mtk_phy_power_off,
+   .set_mode   = mtk_phy_set_mode,
.owner  = THIS_MODULE,
 };
 
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Dell thunderbolt docking station not working

[Stephen Hemminger]

On Tue, 10 Oct 2017 22:31:34 +0300
Mika Westerberg  wrote:

> On Tue, Oct 10, 2017 at 12:11:49PM -0700, Stephen Hemminger wrote:
> > The Dell thunderbolt docking brick (TB16) does not appear to be fully 
> > supported in Linux.
> > When I connect my Dell XPS 13 (running Ubuntu) to the dock, the multiple 
> > displays work
> > correctly but the USB keyboard, mouse and wired Ethernet do not.
> > (Of course this all works with the other Windows laptop so it is not a 
> > hardware BIOS issue).  
> 
> TB16 should be working fine, that's one of the devices I use for my
> testing. Looking at your dmesg, it seems to be fine.
> 
> Have you authorized the devices you connected?
> 
> https://www.kernel.org/doc/html/latest/admin-guide/thunderbolt.html

Thanks, once I authorized 0-301 it worked.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Dell thunderbolt docking station not working

[Mika Westerberg]

On Tue, Oct 10, 2017 at 12:11:49PM -0700, Stephen Hemminger wrote:
> The Dell thunderbolt docking brick (TB16) does not appear to be fully 
> supported in Linux.
> When I connect my Dell XPS 13 (running Ubuntu) to the dock, the multiple 
> displays work
> correctly but the USB keyboard, mouse and wired Ethernet do not.
> (Of course this all works with the other Windows laptop so it is not a 
> hardware BIOS issue).

TB16 should be working fine, that's one of the devices I use for my
testing. Looking at your dmesg, it seems to be fine.

Have you authorized the devices you connected?

https://www.kernel.org/doc/html/latest/admin-guide/thunderbolt.html
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] usb: renesas_usbhs: add support for R-Car D3

[Rob Herring]

On Tue, Oct 03, 2017 at 08:09:14PM +0900, Yoshihiro Shimoda wrote:
> This patch adds support for R-Car D3. This SoC needs to release
> the PLL reset by the UGCTRL register. So, since this is not the same
> as other R-Car Gen3 SoCs, this patch adds a new type as
> "USBHS_TYPE_RCAR_GEN3_WITH_PLL".
> 
> Signed-off-by: Yoshihiro Shimoda 
> ---
>  .../devicetree/bindings/usb/renesas_usbhs.txt  |  1 +
>  drivers/usb/renesas_usbhs/common.c | 10 -
>  drivers/usb/renesas_usbhs/rcar3.c  | 48 
> ++
>  drivers/usb/renesas_usbhs/rcar3.h  |  1 +
>  include/linux/usb/renesas_usbhs.h  |  5 ++-
>  5 files changed, 62 insertions(+), 3 deletions(-)

Acked-by: Rob Herring 
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] USB: serial: garmin_gps: Convert timers to use timer_setup()

[Kees Cook]

In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

Cc: Johan Hovold 
Cc: Allen Pais 
Cc: Greg Kroah-Hartman 
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook 
---
 drivers/usb/serial/garmin_gps.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/serial/garmin_gps.c b/drivers/usb/serial/garmin_gps.c
index b2f2e87aed94..9ade4ff0edd7 100644
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1370,9 +1370,10 @@ static void garmin_unthrottle(struct tty_struct *tty)
  * the tty in cases where the protocol provides no own handshaking
  * to initiate the transfer.
  */
-static void timeout_handler(unsigned long data)
+static void timeout_handler(struct timer_list *t)
 {
-   struct garmin_data *garmin_data_p = (struct garmin_data *) data;
+   struct garmin_data *garmin_data_p = from_timer(garmin_data_p, t,
+  timer);
 
/* send the next queued packet to the tty port */
if (garmin_data_p->mode == MODE_NATIVE)
@@ -1391,12 +1392,10 @@ static int garmin_port_probe(struct usb_serial_port 
*port)
if (!garmin_data_p)
return -ENOMEM;
 
-   init_timer(_data_p->timer);
+   timer_setup(_data_p->timer, timeout_handler, 0);
spin_lock_init(_data_p->lock);
INIT_LIST_HEAD(_data_p->pktlist);
/* garmin_data_p->timer.expires = jiffies + session_timeout; */
-   garmin_data_p->timer.data = (unsigned long)garmin_data_p;
-   garmin_data_p->timer.function = timeout_handler;
garmin_data_p->port = port;
garmin_data_p->state = 0;
garmin_data_p->flags = 0;
-- 
2.7.4


-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/9] ALSA: bcd2000: Add a sanity check for invalid EPs

[Andrey Konovalov]

On Tue, Oct 10, 2017 at 4:33 PM, Takashi Iwai  wrote:
> On Tue, 10 Oct 2017 16:00:25 +0200,
> Andrey Konovalov wrote:
>>
>> On Tue, Oct 10, 2017 at 3:38 PM, Takashi Iwai  wrote:
>> > As syzkaller spotted, currently bcd2000 driver submits a URB with the
>> > fixed EP without checking whether it's actually available, which may
>> > result in a kernel warning like:
>> >   usb 1-1: BOGUS urb xfer, pipe 1 != type 3
>> >   [ cut here ]
>> >   WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
>> >   usb_submit_urb+0xf8a/0x11d0
>> >   Modules linked in:
>> >   CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
>> >   4.14.0-rc2-42613-g1488251d1a98 #238
>> >   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
>> > 01/01/2011
>> >   Workqueue: usb_hub_wq hub_event
>> >   Call Trace:
>> >bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
>> >bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
>> >bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
>> >usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>> >
>> >
>> > This patch adds a sanity check of validity of EPs at the device
>> > initialization phase for avoiding the call with an invalid EP.
>> >
>> > Reported-by: Andrey Konovalov 
>> > Signed-off-by: Takashi Iwai 
>>
>> Hi Takashi,
>>
>> I've applied patches #1 and #2 and for some reason get this when I try
>> to build the kernel:
>>
>>   LD  vmlinux.o
>>   MODPOST vmlinux.o
>> sound/usb/bcd2000/bcd2000.o: In function `bcd2000_init_midi':
>> .../sound/usb/bcd2000/bcd2000.c:346: undefined reference to
>> `usb_urb_ep_type_check'
>> .../sound/usb/bcd2000/bcd2000.c:347: undefined reference to
>> `usb_urb_ep_type_check'
>> make: *** [vmlinux] Error 1
>>
>> What could be wrong?
>
> Mea culpa, I generated patches from the wrong branch.
> Luckily only the first patch was wrong, the function name was
> misspelled.

Ah, I thought so and even intentionally checked for a typo in the
function name, but somehow still missed that :)

I've run my reproducers with your patches applied, all the warnings are gone.

Thanks!

Tested-by: Andrey Konovalov 

>
> Below is the right patch for patch 1, which already includes Greg's
> suggestions.  I'm going to send a v2 series in anyway later, so just
> putting this one below.
>
> Sorry for the inconvenience!
>
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai 
> Subject: [PATCH 1/9] usb: core: Add a helper function to check the validity 
> of EP type in URB
>
> This patch adds a new helper function to perform a sanity check of the
> given URB to see whether it contains a valid endpoint.  It's a light-
> weight version of what usb_submit_urb() does, but without the kernel
> warning followed by the stack trace, just returns an error code.
>
> Especially for a driver that doesn't parse the descriptor but fills
> the URB with the fixed endpoint (e.g. some quirks for non-compliant
> devices), this kind of check is preferable at the probe phase before
> actually submitting the urb.
>
> Signed-off-by: Takashi Iwai 
> ---
>  drivers/usb/core/urb.c | 30 ++
>  include/linux/usb.h|  2 ++
>  2 files changed, 28 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
> index 47903d510955..8b800e34407b 100644
> --- a/drivers/usb/core/urb.c
> +++ b/drivers/usb/core/urb.c
> @@ -187,6 +187,31 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
>
>  /*---*/
>
> +static const int pipetypes[4] = {
> +   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
> +};
> +
> +/**
> + * usb_urb_ep_type_check - sanity check of endpoint in the given urb
> + * @urb: urb to be checked
> + *
> + * This performs a light-weight sanity check for the endpoint in the
> + * given urb.  It returns 0 if the urb contains a valid endpoint, otherwise
> + * a negative error code.
> + */
> +int usb_urb_ep_type_check(const struct urb *urb)
> +{
> +   const struct usb_host_endpoint *ep;
> +
> +   ep = usb_pipe_endpoint(urb->dev, urb->pipe);
> +   if (!ep)
> +   return -EINVAL;
> +   if (usb_pipetype(urb->pipe) != 
> pipetypes[usb_endpoint_type(>desc)])
> +   return -EINVAL;
> +   return 0;
> +}
> +EXPORT_SYMBOL_GPL(usb_urb_ep_type_check);
> +
>  /**
>   * usb_submit_urb - issue an asynchronous transfer request for an endpoint
>   * @urb: pointer to the urb describing the request
> @@ -326,9 +351,6 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
>   */
>  int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
>  {
> -   static int  pipetypes[4] = {
> -   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
> -   };
> int xfertype, max;
> struct usb_device   *dev;
> 

[PATCH] xhci: Cope with VIA VL805 readahead

[Robin Murphy]

The VIA VL805 host controller is well-known for causing problems on
systems with IOMMUs enabled, ranging from triggering endless streams of
fault messages to locking itself up completely. It appears that the root
of the problem might be an over-aggressive prefetching of TRBs, wherein
consuming commands near the end of a queue segment causes it to read off
the end of the segment, even across a page boundary. This blows up when
DMA mapping ops are backed by an IOMMU, since there is no guarantee that
addresses outside the allocated segment are accessible at all.

Some trial-and-error investigation reveals that we can avoid such
cross-page reads by not using the last few TRBs in a segment; to that
end, factor out the implicit index of the end-of-segemnt link TRB, and
implement a quirk to move it slightly further forward when necessary.

Signed-off-by: Robin Murphy 
---
 drivers/usb/host/xhci-mem.c  | 32 +++-
 drivers/usb/host/xhci-pci.c  |  5 +
 drivers/usb/host/xhci-ring.c | 10 +-
 drivers/usb/host/xhci.c  | 10 +-
 drivers/usb/host/xhci.h  |  2 ++
 5 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 2a82c927ded2..bb62f100d028 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -23,6 +23,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 
@@ -108,17 +109,18 @@ static void xhci_free_segments_for_ring(struct xhci_hcd 
*xhci,
 static void xhci_link_segments(struct xhci_hcd *xhci, struct xhci_segment 
*prev,
struct xhci_segment *next, enum xhci_ring_type type)
 {
+   unsigned int link_idx;
u32 val;
 
if (!prev || !next)
return;
prev->next = next;
if (type != TYPE_EVENT) {
-   prev->trbs[TRBS_PER_SEGMENT-1].link.segment_ptr =
-   cpu_to_le64(next->dma);
+   link_idx = xhci_segment_link_idx(xhci);
+   prev->trbs[link_idx].link.segment_ptr = cpu_to_le64(next->dma);
 
/* Set the last TRB in the segment to have a TRB type ID of 
Link TRB */
-   val = le32_to_cpu(prev->trbs[TRBS_PER_SEGMENT-1].link.control);
+   val = le32_to_cpu(prev->trbs[link_idx].link.control);
val &= ~TRB_TYPE_BITMASK;
val |= TRB_TYPE(TRB_LINK);
/* Always set the chain bit with 0.95 hardware */
@@ -127,7 +129,7 @@ static void xhci_link_segments(struct xhci_hcd *xhci, 
struct xhci_segment *prev,
(type == TYPE_ISOC &&
 (xhci->quirks & XHCI_AMD_0x96_HOST)))
val |= TRB_CHAIN;
-   prev->trbs[TRBS_PER_SEGMENT-1].link.control = cpu_to_le32(val);
+   prev->trbs[link_idx].link.control = cpu_to_le32(val);
}
 }
 
@@ -140,20 +142,22 @@ static void xhci_link_rings(struct xhci_hcd *xhci, struct 
xhci_ring *ring,
unsigned int num_segs)
 {
struct xhci_segment *next;
+   unsigned int link_idx;
 
if (!ring || !first || !last)
return;
 
next = ring->enq_seg->next;
+   link_idx = xhci_segment_link_idx(xhci);
xhci_link_segments(xhci, ring->enq_seg, first, ring->type);
xhci_link_segments(xhci, last, next, ring->type);
ring->num_segs += num_segs;
-   ring->num_trbs_free += (TRBS_PER_SEGMENT - 1) * num_segs;
+   ring->num_trbs_free += link_idx * num_segs;
 
if (ring->type != TYPE_EVENT && ring->enq_seg == ring->last_seg) {
-   ring->last_seg->trbs[TRBS_PER_SEGMENT-1].link.control
+   ring->last_seg->trbs[link_idx].link.control
&= ~cpu_to_le32(LINK_TOGGLE);
-   last->trbs[TRBS_PER_SEGMENT-1].link.control
+   last->trbs[link_idx].link.control
|= cpu_to_le32(LINK_TOGGLE);
ring->last_seg = last;
}
@@ -300,7 +304,8 @@ void xhci_ring_free(struct xhci_hcd *xhci, struct xhci_ring 
*ring)
 }
 
 static void xhci_initialize_ring_info(struct xhci_ring *ring,
-   unsigned int cycle_state)
+   unsigned int cycle_state,
+   unsigned int link_idx)
 {
/* The ring is empty, so the enqueue pointer == dequeue pointer */
ring->enqueue = ring->first_seg->trbs;
@@ -320,7 +325,7 @@ static void xhci_initialize_ring_info(struct xhci_ring 
*ring,
 * Each segment has a link TRB, and leave an extra TRB for SW
 * accounting purpose
 */
-   ring->num_trbs_free = ring->num_segs * (TRBS_PER_SEGMENT - 1) - 1;
+   ring->num_trbs_free = ring->num_segs * link_idx - 1;
 }
 
 /* Allocate segments and link them for a ring */
@@ -373,6 +378,7 @@ static struct xhci_ring *xhci_ring_alloc(struct xhci_hcd 
*xhci,
  

Re: [PATCH 3/8] Documentation: fix input related doc refs

[Takashi Iwai]

On Tue, 10 Oct 2017 19:36:23 +0200,
Tom Saeger wrote:
> 
> Make `input` document refs valid including:
>   - joystick
>   - joystick-parport
> 
> Signed-off-by: Tom Saeger 

For the sound part:
Reviewed-by: Takashi Iwai 


thanks,

Takashi

> ---
>  Documentation/admin-guide/kernel-parameters.txt | 10 +-
>  Documentation/hid/hiddev.txt|  2 +-
>  Documentation/input/devices/xpad.rst|  3 ++-
>  Documentation/sound/cards/joystick.rst  |  2 +-
>  4 files changed, 9 insertions(+), 8 deletions(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt 
> b/Documentation/admin-guide/kernel-parameters.txt
> index e857bbbc8575..411b41127eee 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -314,7 +314,7 @@
>   amijoy.map= [HW,JOY] Amiga joystick support
>   Map of devices attached to JOY0DAT and JOY1DAT
>   Format: ,
> - See also Documentation/input/joystick.txt
> + See also Documentation/input/joydev/joystick.rst
>  
>   analog.map= [HW,JOY] Analog joystick and gamepad support
>   Specifies type or capabilities of an analog joystick
> @@ -724,7 +724,7 @@
>   db9.dev[2|3]=   [HW,JOY] Multisystem joystick support via parallel port
>   (one device per port)
>   Format: ,
> - See also Documentation/input/joystick-parport.txt
> + See also 
> Documentation/input/devices/joystick-parport.rst
>  
>   ddebug_query=   [KNL,DYNAMIC_DEBUG] Enable debug messages at early boot
>   time. See
> @@ -1220,7 +1220,7 @@
>   [HW,JOY] Multisystem joystick and NES/SNES/PSX pad
>   support via parallel port (up to 5 devices per port)
>   Format: ,
> - See also Documentation/input/joystick-parport.txt
> + See also 
> Documentation/input/devices/joystick-parport.rst
>  
>   gamma=  [HW,DRM]
>  
> @@ -1766,7 +1766,7 @@
>   ivrs_acpihid[00:14.5]=AMD0020:0
>  
>   js= [HW,JOY] Analog joystick
> - See Documentation/input/joystick.txt.
> + See Documentation/input/joydev/joystick.rst.
>  
>   nokaslr [KNL]
>   When CONFIG_RANDOMIZE_BASE is set, this disables
> @@ -4199,7 +4199,7 @@
>   TurboGraFX parallel port interface
>   Format:
>   ,,,
> - See also Documentation/input/joystick-parport.txt
> + See also 
> Documentation/input/devices/joystick-parport.rst
>  
>   udbg-immortal   [PPC] When debugging early kernel crashes that
>   happen after console_init() and before a proper
> diff --git a/Documentation/hid/hiddev.txt b/Documentation/hid/hiddev.txt
> index 6e8c9f1d2f22..638448707aa2 100644
> --- a/Documentation/hid/hiddev.txt
> +++ b/Documentation/hid/hiddev.txt
> @@ -12,7 +12,7 @@ To support these disparate requirements, the Linux USB 
> system provides
>  HID events to two separate interfaces:
>  * the input subsystem, which converts HID events into normal input
>  device interfaces (such as keyboard, mouse and joystick) and a
> -normalised event interface - see Documentation/input/input.txt
> +normalised event interface - see Documentation/input/input.rst
>  * the hiddev interface, which provides fairly raw HID events
>  
>  The data flow for a HID event produced by a device is something like
> diff --git a/Documentation/input/devices/xpad.rst 
> b/Documentation/input/devices/xpad.rst
> index 5a709ab77c8d..b8bd65962dd8 100644
> --- a/Documentation/input/devices/xpad.rst
> +++ b/Documentation/input/devices/xpad.rst
> @@ -230,4 +230,5 @@ Historic Edits
>  2005-03-19 - Dominic Cerquetti 
>   - added stuff for dance pads, new d-pad->axes mappings
>  
> -Later changes may be viewed with 'git log Documentation/input/xpad.txt'
> +Later changes may be viewed with
> +'git log --follow Documentation/input/devices/xpad.rst'
> diff --git a/Documentation/sound/cards/joystick.rst 
> b/Documentation/sound/cards/joystick.rst
> index a6e468c81d02..488946fc1079 100644
> --- a/Documentation/sound/cards/joystick.rst
> +++ b/Documentation/sound/cards/joystick.rst
> @@ -11,7 +11,7 @@ General
>  
>  First of all, you need to enable GAMEPORT support on Linux kernel for
>  using a joystick with the ALSA driver.  For the details of gameport
> -support, refer to Documentation/input/joystick.txt.
> +support, refer to Documentation/input/joydev/joystick.rst.
>  
>  The joystick support of ALSA drivers is different between ISA and PCI
>  cards.  In the case of ISA (PnP) cards, it's 

[PATCH 7/8] Documentation: fix usb related doc refs

[Tom Saeger]

Update ref to usb proc_usb_info.txt.

Signed-off-by: Tom Saeger 
---
 Documentation/driver-api/usb/usb.rst  | 4 +---
 Documentation/networking/cdc_mbim.txt | 4 ++--
 Documentation/usb/gadget-testing.txt  | 2 +-
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/Documentation/driver-api/usb/usb.rst 
b/Documentation/driver-api/usb/usb.rst
index dba0f876b36f..078e981e2b16 100644
--- a/Documentation/driver-api/usb/usb.rst
+++ b/Documentation/driver-api/usb/usb.rst
@@ -690,9 +690,7 @@ The USB devices are now exported via debugfs:
 This file is handy for status viewing tools in user mode, which can scan
 the text format and ignore most of it. More detailed device status
 (including class and vendor status) is available from device-specific
-files. For information about the current format of this file, see the
-``Documentation/usb/proc_usb_info.txt`` file in your Linux kernel
-sources.
+files. For information about the current format of this file, see below.
 
 This file, in combination with the poll() system call, can also be used
 to detect when devices are added or removed::
diff --git a/Documentation/networking/cdc_mbim.txt 
b/Documentation/networking/cdc_mbim.txt
index e4c376abbdad..4e68f0bc5dba 100644
--- a/Documentation/networking/cdc_mbim.txt
+++ b/Documentation/networking/cdc_mbim.txt
@@ -332,8 +332,8 @@ References
 [5] "MBIM (Mobile Broadband Interface Model) Registry"
- http://compliance.usb.org/mbim/
 
-[6] "/dev/bus/usb filesystem output"
-   - Documentation/usb/proc_usb_info.txt
+[6] "/sys/kernel/debug/usb/devices output format"
+   - Documentation/driver-api/usb/usb.rst
 
 [7] "/sys/bus/usb/devices/.../descriptors"
- Documentation/ABI/stable/sysfs-bus-usb
diff --git a/Documentation/usb/gadget-testing.txt 
b/Documentation/usb/gadget-testing.txt
index fbc397d17e98..441a4b9b666f 100644
--- a/Documentation/usb/gadget-testing.txt
+++ b/Documentation/usb/gadget-testing.txt
@@ -773,7 +773,7 @@ host:
 # cat /dev/usb/lp0
 
 More advanced testing can be done with the prn_example
-described in Documentation/usb/gadget-printer.txt.
+described in Documentation/usb/gadget_printer.txt.
 
 
 20. UAC1 function (virtual ALSA card, using u_audio API)
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/8] Documentation: fix input related doc refs

[Tom Saeger]

Make `input` document refs valid including:
  - joystick
  - joystick-parport

Signed-off-by: Tom Saeger 
---
 Documentation/admin-guide/kernel-parameters.txt | 10 +-
 Documentation/hid/hiddev.txt|  2 +-
 Documentation/input/devices/xpad.rst|  3 ++-
 Documentation/sound/cards/joystick.rst  |  2 +-
 4 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt 
b/Documentation/admin-guide/kernel-parameters.txt
index e857bbbc8575..411b41127eee 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -314,7 +314,7 @@
amijoy.map= [HW,JOY] Amiga joystick support
Map of devices attached to JOY0DAT and JOY1DAT
Format: ,
-   See also Documentation/input/joystick.txt
+   See also Documentation/input/joydev/joystick.rst
 
analog.map= [HW,JOY] Analog joystick and gamepad support
Specifies type or capabilities of an analog joystick
@@ -724,7 +724,7 @@
db9.dev[2|3]=   [HW,JOY] Multisystem joystick support via parallel port
(one device per port)
Format: ,
-   See also Documentation/input/joystick-parport.txt
+   See also 
Documentation/input/devices/joystick-parport.rst
 
ddebug_query=   [KNL,DYNAMIC_DEBUG] Enable debug messages at early boot
time. See
@@ -1220,7 +1220,7 @@
[HW,JOY] Multisystem joystick and NES/SNES/PSX pad
support via parallel port (up to 5 devices per port)
Format: ,
-   See also Documentation/input/joystick-parport.txt
+   See also 
Documentation/input/devices/joystick-parport.rst
 
gamma=  [HW,DRM]
 
@@ -1766,7 +1766,7 @@
ivrs_acpihid[00:14.5]=AMD0020:0
 
js= [HW,JOY] Analog joystick
-   See Documentation/input/joystick.txt.
+   See Documentation/input/joydev/joystick.rst.
 
nokaslr [KNL]
When CONFIG_RANDOMIZE_BASE is set, this disables
@@ -4199,7 +4199,7 @@
TurboGraFX parallel port interface
Format:
,,,
-   See also Documentation/input/joystick-parport.txt
+   See also 
Documentation/input/devices/joystick-parport.rst
 
udbg-immortal   [PPC] When debugging early kernel crashes that
happen after console_init() and before a proper
diff --git a/Documentation/hid/hiddev.txt b/Documentation/hid/hiddev.txt
index 6e8c9f1d2f22..638448707aa2 100644
--- a/Documentation/hid/hiddev.txt
+++ b/Documentation/hid/hiddev.txt
@@ -12,7 +12,7 @@ To support these disparate requirements, the Linux USB system 
provides
 HID events to two separate interfaces:
 * the input subsystem, which converts HID events into normal input
 device interfaces (such as keyboard, mouse and joystick) and a
-normalised event interface - see Documentation/input/input.txt
+normalised event interface - see Documentation/input/input.rst
 * the hiddev interface, which provides fairly raw HID events
 
 The data flow for a HID event produced by a device is something like
diff --git a/Documentation/input/devices/xpad.rst 
b/Documentation/input/devices/xpad.rst
index 5a709ab77c8d..b8bd65962dd8 100644
--- a/Documentation/input/devices/xpad.rst
+++ b/Documentation/input/devices/xpad.rst
@@ -230,4 +230,5 @@ Historic Edits
 2005-03-19 - Dominic Cerquetti 
  - added stuff for dance pads, new d-pad->axes mappings
 
-Later changes may be viewed with 'git log Documentation/input/xpad.txt'
+Later changes may be viewed with
+'git log --follow Documentation/input/devices/xpad.rst'
diff --git a/Documentation/sound/cards/joystick.rst 
b/Documentation/sound/cards/joystick.rst
index a6e468c81d02..488946fc1079 100644
--- a/Documentation/sound/cards/joystick.rst
+++ b/Documentation/sound/cards/joystick.rst
@@ -11,7 +11,7 @@ General
 
 First of all, you need to enable GAMEPORT support on Linux kernel for
 using a joystick with the ALSA driver.  For the details of gameport
-support, refer to Documentation/input/joystick.txt.
+support, refer to Documentation/input/joydev/joystick.rst.
 
 The joystick support of ALSA drivers is different between ISA and PCI
 cards.  In the case of ISA (PnP) cards, it's usually handled by the
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: VL805 xHCI DMA read faults

[Robin Murphy]

On 10/10/17 16:51, David Laight wrote:
> From: Robin Murphy
>> Sent: 10 October 2017 16:25
> ...
>>> That could 'just' be the hardware doing a 'readahead' of the ring.
>>> Somewhat annoying if it is doing that across page boundaries.
>>
>>> Although, in that case, the read values wouldn't be used because the
>>> last TRB is a link.
>>> So that shouldn't stop the USB transfer - just gives an annoying error 
>>> message.
>>> OTOH if the PCIe read completion ends up with an error status it might halt
>>> the ring (or similar).
>>
>> Indeed, on my machine once the PCIe root complex gets an abort back from the
>> IOMMU, the VL805 is basically dead until a hard reset. The grotty diff
>> below does resolve that particular issue, but I'm not sure I like it :/
> 
> Is it enough to only allocate 255 TRB per page instead of adding a
> guard page?

Good point - crudely hacking TRBS_PER_SEGMENT down to 252 (255 made
things go a bit wacky) does indeed appear to suffice. I'll have a go at
a slightly nicer approach of just reserving the last TRB in a segment
where necessary.

Robin.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] usb: typec: tcpm: reset the port on removal

[Guenter Roeck]

On Tue, Oct 10, 2017 at 04:40:33PM +0300, Heikki Krogerus wrote:
> If a port is unregistered, all the devices attached to it
> must be unregistered as well. This will also make sure VBUS
> and VCONN are disabled.
> 
> Signed-off-by: Heikki Krogerus 

Makes sense.

Reviewed-by: Guenter Roeck 

> ---
>  drivers/usb/typec/tcpm.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/typec/tcpm.c b/drivers/usb/typec/tcpm.c
> index ffc26a3294e6..2a1656df62a8 100644
> --- a/drivers/usb/typec/tcpm.c
> +++ b/drivers/usb/typec/tcpm.c
> @@ -3602,6 +3602,7 @@ void tcpm_unregister_port(struct tcpm_port *port)
>  {
>   int i;
>  
> + tcpm_reset_port(port);
>   for (i = 0; i < ARRAY_SIZE(port->port_altmode); i++)
>   typec_unregister_altmode(port->port_altmode[i]);
>   typec_unregister_port(port->typec_port);
> -- 
> 2.14.2
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: VL805 xHCI DMA read faults

[David Laight]

From: Robin Murphy
> Sent: 10 October 2017 16:25
...
> > That could 'just' be the hardware doing a 'readahead' of the ring.
> > Somewhat annoying if it is doing that across page boundaries.
>
> > Although, in that case, the read values wouldn't be used because the
> > last TRB is a link.
> > So that shouldn't stop the USB transfer - just gives an annoying error 
> > message.
> > OTOH if the PCIe read completion ends up with an error status it might halt
> > the ring (or similar).
> 
> Indeed, on my machine once the PCIe root complex gets an abort back from the
> IOMMU, the VL805 is basically dead until a hard reset. The grotty diff
> below does resolve that particular issue, but I'm not sure I like it :/

Is it enough to only allocate 255 TRB per page instead of adding a
guard page?

David

N�r��yb�X��ǧv�^�)޺{.n�+{��^n�r���z���h�&���G���h�(�階�ݢj"���m��z�ޖ���f���h���~�m�

Re: VL805 xHCI DMA read faults

[Robin Murphy]

On 10/10/17 15:24, David Laight wrote:
> From: Mathias Nyman
>> Sent: 10 October 2017 15:13
> ...
>> [  428.409645] print_req_error: I/O error, dev sdb, sector 128
>> [  428.426612] arm-smmu 2b50.iommu: Unhandled context fault: fsr=0x8, 
>> iova=0xff0b1000,
>> fsynr=0x183, cb=0
>>
>> a ring segment is 256 TRBS, each *16 bytes, that ring last TRB should be at 
>> 0xff0b0ff0
>>
>> If the adm-smmu iova 0xff0b1000 means something is poking that DMA address
>> it's ring after that ring.
> 
> That could 'just' be the hardware doing a 'readahead' of the ring.
> Somewhat annoying if it is doing that across page boundaries.
> 
> Although, in that case, the read values wouldn't be used because the
> last TRB is a link.
> So that shouldn't stop the USB transfer - just gives an annoying error 
> message.
> OTOH if the PCIe read completion ends up with an error status it might halt
> the ring (or similar).

Indeed, on my machine once the PCIe root complex gets an abort back from the
IOMMU, the VL805 is basically dead until a hard reset. The grotty diff
below does resolve that particular issue, but I'm not sure I like it :/

Robin.

->8-
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 2a82c927ded2..9bec2a6d271a 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2376,9 +2376,17 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
 * however, the command ring segment needs 64-byte aligned segments
 * and our use of dma addresses in the trb_address_map radix tree needs
 * TRB_SEGMENT_SIZE alignment, so we pick the greater alignment need.
+* If the HC might prefetch past the end of the segment across page
+* boundaries, reserve enough space to prevent that going wrong.
 */
+   val = TRB_SEGMENT_SIZE;
+   val2 = xhci->page_size;
+   if (xhci->quirks & XHCI_READAHEAD_QUIRK) {
+   val *= 2;
+   val2 *= 2;
+   }
xhci->segment_pool = dma_pool_create("xHCI ring segments", dev,
-   TRB_SEGMENT_SIZE, TRB_SEGMENT_SIZE, xhci->page_size);
+   val, TRB_SEGMENT_SIZE, val2);
 
/* See Table 46 and Note on Figure 55 */
xhci->device_pool = dma_pool_create("xHCI input/output contexts", dev,
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 8071c8fdd15e..458404a22cf1 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -212,6 +212,11 @@ static void xhci_pci_quirks(struct device *dev, struct 
xhci_hcd *xhci)
pdev->device == 0x3432)
xhci->quirks |= XHCI_BROKEN_STREAMS;
 
+   /* VIA VL805 reads past the end of queue segments */
+   if (pdev->vendor == PCI_VENDOR_ID_VIA &&
+   pdev->device == 0x3483)
+   xhci->quirks |= XHCI_READAHEAD_QUIRK;
+
if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
pdev->device == 0x1042)
xhci->quirks |= XHCI_BROKEN_STREAMS;
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 2abaa4d6d39d..c78ed53ed5c4 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1828,6 +1828,7 @@ struct xhci_hcd {
 #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26)
 #define XHCI_U2_DISABLE_WAKE   (1 << 27)
 #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL(1 << 28)
+#define XHCI_READAHEAD_QUIRK   (1 << 29)
 
unsigned intnum_active_eps;
unsigned intlimit_active_eps;
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/9] ALSA: bcd2000: Add a sanity check for invalid EPs

[Takashi Iwai]

On Tue, 10 Oct 2017 16:00:25 +0200,
Andrey Konovalov wrote:
> 
> On Tue, Oct 10, 2017 at 3:38 PM, Takashi Iwai  wrote:
> > As syzkaller spotted, currently bcd2000 driver submits a URB with the
> > fixed EP without checking whether it's actually available, which may
> > result in a kernel warning like:
> >   usb 1-1: BOGUS urb xfer, pipe 1 != type 3
> >   [ cut here ]
> >   WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
> >   usb_submit_urb+0xf8a/0x11d0
> >   Modules linked in:
> >   CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
> >   4.14.0-rc2-42613-g1488251d1a98 #238
> >   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
> > 01/01/2011
> >   Workqueue: usb_hub_wq hub_event
> >   Call Trace:
> >bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
> >bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
> >bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
> >usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
> >
> >
> > This patch adds a sanity check of validity of EPs at the device
> > initialization phase for avoiding the call with an invalid EP.
> >
> > Reported-by: Andrey Konovalov 
> > Signed-off-by: Takashi Iwai 
> 
> Hi Takashi,
> 
> I've applied patches #1 and #2 and for some reason get this when I try
> to build the kernel:
> 
>   LD  vmlinux.o
>   MODPOST vmlinux.o
> sound/usb/bcd2000/bcd2000.o: In function `bcd2000_init_midi':
> .../sound/usb/bcd2000/bcd2000.c:346: undefined reference to
> `usb_urb_ep_type_check'
> .../sound/usb/bcd2000/bcd2000.c:347: undefined reference to
> `usb_urb_ep_type_check'
> make: *** [vmlinux] Error 1
> 
> What could be wrong?

Mea culpa, I generated patches from the wrong branch.
Luckily only the first patch was wrong, the function name was
misspelled.

Below is the right patch for patch 1, which already includes Greg's
suggestions.  I'm going to send a v2 series in anyway later, so just
putting this one below.

Sorry for the inconvenience!


Takashi

-- 8< --
From: Takashi Iwai 
Subject: [PATCH 1/9] usb: core: Add a helper function to check the validity of 
EP type in URB

This patch adds a new helper function to perform a sanity check of the
given URB to see whether it contains a valid endpoint.  It's a light-
weight version of what usb_submit_urb() does, but without the kernel
warning followed by the stack trace, just returns an error code.

Especially for a driver that doesn't parse the descriptor but fills
the URB with the fixed endpoint (e.g. some quirks for non-compliant
devices), this kind of check is preferable at the probe phase before
actually submitting the urb.

Signed-off-by: Takashi Iwai 
---
 drivers/usb/core/urb.c | 30 ++
 include/linux/usb.h|  2 ++
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
index 47903d510955..8b800e34407b 100644
--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -187,6 +187,31 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
 
 /*---*/
 
+static const int pipetypes[4] = {
+   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
+};
+
+/**
+ * usb_urb_ep_type_check - sanity check of endpoint in the given urb
+ * @urb: urb to be checked
+ *
+ * This performs a light-weight sanity check for the endpoint in the
+ * given urb.  It returns 0 if the urb contains a valid endpoint, otherwise
+ * a negative error code.
+ */
+int usb_urb_ep_type_check(const struct urb *urb)
+{
+   const struct usb_host_endpoint *ep;
+
+   ep = usb_pipe_endpoint(urb->dev, urb->pipe);
+   if (!ep)
+   return -EINVAL;
+   if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(>desc)])
+   return -EINVAL;
+   return 0;
+}
+EXPORT_SYMBOL_GPL(usb_urb_ep_type_check);
+
 /**
  * usb_submit_urb - issue an asynchronous transfer request for an endpoint
  * @urb: pointer to the urb describing the request
@@ -326,9 +351,6 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
  */
 int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
 {
-   static int  pipetypes[4] = {
-   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
-   };
int xfertype, max;
struct usb_device   *dev;
struct usb_host_endpoint*ep;
@@ -444,7 +466,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
 */
 
/* Check that the pipe's type matches the endpoint's type */
-   if (usb_pipetype(urb->pipe) != pipetypes[xfertype])
+   if (usb_urb_ep_type_check(urb))
dev_WARN(>dev, "BOGUS urb xfer, pipe %x != type %x\n",
usb_pipetype(urb->pipe), pipetypes[xfertype]);
 
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 

RE: VL805 xHCI DMA read faults

[David Laight]

From: Mathias Nyman
> Sent: 10 October 2017 15:13
...
> [  428.409645] print_req_error: I/O error, dev sdb, sector 128
> [  428.426612] arm-smmu 2b50.iommu: Unhandled context fault: fsr=0x8, 
> iova=0xff0b1000,
> fsynr=0x183, cb=0
> 
> a ring segment is 256 TRBS, each *16 bytes, that ring last TRB should be at 
> 0xff0b0ff0
> 
> If the adm-smmu iova 0xff0b1000 means something is poking that DMA address
> it's ring after that ring.

That could 'just' be the hardware doing a 'readahead' of the ring.
Somewhat annoying if it is doing that across page boundaries.

Although, in that case, the read values wouldn't be used because the
last TRB is a link.
So that shouldn't stop the USB transfer - just gives an annoying error message.
OTOH if the PCIe read completion ends up with an error status it might halt
the ring (or similar).

David

N�r��yb�X��ǧv�^�)޺{.n�+{��^n�r���z���h�&���G���h�(�階�ݢj"���m��z�ޖ���f���h���~�m�

Re: [PATCH v2] HID: usbhid: fix out-of-bounds bug

[Alan Stern]

On Tue, 10 Oct 2017, Jaejoong Kim wrote:

> Hi,
> 
> To. Jiri, Alan,
> 
> Could you please review this patch?
> 
> To. Andey,
> 
> Could you please test with this patch for KASAN OOB error?
> 
> Thanks, jaejoong
> 
> 2017-09-28 19:16 GMT+09:00 Jaejoong Kim :
> > The hid descriptor identifies the length and type of subordinate
> > descriptors for a device. If the received hid descriptor is smaller than
> > the size of the struct hid_descriptor, it is possible to cause
> > out-of-bounds.
> >
> > In addition, if bNumDescriptors of the hid descriptor have an incorrect
> > value, this can also cause out-of-bounds while approaching hdesc->desc[n].
> >
> > So check the size of hid descriptor and bNumDescriptors.
> >
> > BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
> > Read of size 1 at addr 88006c5f8edf by task kworker/1:2/1261
> >
> > CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
> > 4.14.0-rc1-42251-gebb2c2437d80 #169
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
> > 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > __dump_stack lib/dump_stack.c:16
> > dump_stack+0x292/0x395 lib/dump_stack.c:52
> > print_address_description+0x78/0x280 mm/kasan/report.c:252
> > kasan_report_error mm/kasan/report.c:351
> > kasan_report+0x22f/0x340 mm/kasan/report.c:409
> > __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
> > usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
> > hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
> > usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
> > usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
> > really_probe drivers/base/dd.c:413
> > driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
> > __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
> > bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
> > __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
> > device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
> > bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
> > device_add+0xd0b/0x1660 drivers/base/core.c:1835
> > usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
> > generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
> > usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
> > really_probe drivers/base/dd.c:413
> > driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
> > __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
> > bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
> > __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
> > device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
> > bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
> > device_add+0xd0b/0x1660 drivers/base/core.c:1835
> > usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
> > hub_port_connect drivers/usb/core/hub.c:4903
> > hub_port_connect_change drivers/usb/core/hub.c:5009
> > port_event drivers/usb/core/hub.c:5115
> > hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
> > process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
> > worker_thread+0x221/0x1850 kernel/workqueue.c:2253
> > kthread+0x3a1/0x470 kernel/kthread.c:231
> > ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
> >
> > Reported-by: Andrey Konovalov 
> > Signed-off-by: Jaejoong Kim 
> > ---
> >
> > Changes in v2:
> > - write a new commit message because orginal version is wrong approach
> > - add check hid descriptor size
> > - get proper value for bNumDescriptors as suggested by Alan Stern
> > - fix the Reported-by
> >
> >  drivers/hid/usbhid/hid-core.c | 12 +++-
> >  1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> > index 089bad8..045b5da 100644
> > --- a/drivers/hid/usbhid/hid-core.c
> > +++ b/drivers/hid/usbhid/hid-core.c
> > @@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_device *hid)
> > unsigned int rsize = 0;
> > char *rdesc;
> > int ret, n;
> > +   int num_descriptors;
> > +   size_t offset = offsetof(struct hid_descriptor, desc);
> >
> > quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
> > le16_to_cpu(dev->descriptor.idProduct));
> > @@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_device *hid)
> > return -ENODEV;
> > }
> >
> > +   if (hdesc->bLength < sizeof(struct hid_descriptor)) {
> > +   dbg_hid("hid descriptor is too short\n");
> > +   return -EINVAL;
> > +   }
> > +
> > hid->version = 

Re: VL805 xHCI DMA read faults

[Mathias Nyman]

On 10.10.2017 12:41, David Laight wrote:

From: Robin Murphy

Sent: 09 October 2017 18:39

...

  - without the IOMMU, block sizes >=128K all settle down into a
suspiciously-periodic error every 2048 sectors.


That stinks of being a problem where either the link TRB is part
way through a USB packet or where a buffer fragment crosses
a 64k boundary.

Neither is allowed.



Those should be taken care of by the xhci driver already

xhci_align_td() should make sure the link TRB is at packet boundary, and
TRB_BUFF_LEN_UP_TO_BOUNDARY(addr) in xhci_queue_bulk_tx() should prevent
crossing 64k boundary in a TRB when queuing it.

more traces and logs of the VIA xhci controller could maybe tell something.

with the latest kernel:

echo 81920 > /sys/kernel/debug/tracing/buffer_size_kb
echo 1 > /sys/kernel/debug/tracing/events/xhci-hcd/enable
after failure:
cat /sys/kernel/debug/tracing/trace

The debug output from Robin shows URB asked 196808 bytes but gets exactly 64k, 
then stalls.
we then skip this TD to the next (TD is exactly 7 TRBs (7 * 16bytes) in this 
case, and continue the
same way.
so we keep jumping and stalling x70 bytes on the ring :

[  427.959235] xhci_hcd :04:00.0: New dequeue pointer = 0xff0b0c40 (DMA)
[  428.083240] xhci_hcd :04:00.0: New dequeue pointer = 0xff0b0cb0 (DMA)
[  428.207238] xhci_hcd :04:00.0: New dequeue pointer = 0xff0b0d20 (DMA)
[  428.331237] xhci_hcd :04:00.0: New dequeue pointer = 0xff0b0d90 (DMA)
...
[  428.409645] print_req_error: I/O error, dev sdb, sector 128
[  428.426612] arm-smmu 2b50.iommu: Unhandled context fault: fsr=0x8, 
iova=0xff0b1000, fsynr=0x183, cb=0

a ring segment is 256 TRBS, each *16 bytes, that ring last TRB should be at 
0xff0b0ff0

If the adm-smmu iova 0xff0b1000 means something is poking that DMA address
it's ring after that ring.

-Mathias




 



--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/9] ALSA: bcd2000: Add a sanity check for invalid EPs

[Andrey Konovalov]

On Tue, Oct 10, 2017 at 3:38 PM, Takashi Iwai  wrote:
> As syzkaller spotted, currently bcd2000 driver submits a URB with the
> fixed EP without checking whether it's actually available, which may
> result in a kernel warning like:
>   usb 1-1: BOGUS urb xfer, pipe 1 != type 3
>   [ cut here ]
>   WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
>   usb_submit_urb+0xf8a/0x11d0
>   Modules linked in:
>   CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
>   4.14.0-rc2-42613-g1488251d1a98 #238
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>   Workqueue: usb_hub_wq hub_event
>   Call Trace:
>bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
>bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
>bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
>usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>
>
> This patch adds a sanity check of validity of EPs at the device
> initialization phase for avoiding the call with an invalid EP.
>
> Reported-by: Andrey Konovalov 
> Signed-off-by: Takashi Iwai 

Hi Takashi,

I've applied patches #1 and #2 and for some reason get this when I try
to build the kernel:

  LD  vmlinux.o
  MODPOST vmlinux.o
sound/usb/bcd2000/bcd2000.o: In function `bcd2000_init_midi':
.../sound/usb/bcd2000/bcd2000.c:346: undefined reference to
`usb_urb_ep_type_check'
.../sound/usb/bcd2000/bcd2000.c:347: undefined reference to
`usb_urb_ep_type_check'
make: *** [vmlinux] Error 1

What could be wrong?

Thanks!

> ---
>  sound/usb/bcd2000/bcd2000.c | 7 +++
>  1 file changed, 7 insertions(+)
>
> diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c
> index 7371e5b06035..a6408209d7f1 100644
> --- a/sound/usb/bcd2000/bcd2000.c
> +++ b/sound/usb/bcd2000/bcd2000.c
> @@ -342,6 +342,13 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
> bcd2k->midi_out_buf, BUFSIZE,
> bcd2000_output_complete, bcd2k, 1);
>
> +   /* sanity checks of EPs before actually submitting */
> +   if (usb_urb_ep_type_check(bcd2k->midi_in_urb) ||
> +   usb_urb_ep_type_check(bcd2k->midi_out_urb)) {
> +   dev_err(>dev->dev, "invalid MIDI EP\n");
> +   return -EINVAL;
> +   }
> +
> bcd2000_init_device(bcd2k);
>
> return 0;
> --
> 2.14.2
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/9] usb: core: Add a helper function to check the validity of EP type in URB

[Takashi Iwai]

On Tue, 10 Oct 2017 15:53:49 +0200,
Greg KH wrote:
> 
> On Tue, Oct 10, 2017 at 03:38:11PM +0200, Takashi Iwai wrote:
> > This patch adds a new helper function to perform a sanity check of the
> > given URB to see whether it contains a valid endpoint.  It's a light-
> > weight version of what usb_submit_urb() does, but without the kernel
> > warning followed by the stack trace, just returns an error code.
> > 
> > Especially for a driver that doesn't parse the descriptor but fills
> > the URB with the fixed endpoint (e.g. some quirks for non-compliant
> > devices), this kind of check is preferable at the probe phase before
> > actually submitting the urb.
> > 
> > Signed-off-by: Takashi Iwai 
> > ---
> >  drivers/usb/core/urb.c | 28 +---
> >  include/linux/usb.h|  2 ++
> >  2 files changed, 27 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
> > index 47903d510955..580dfaec8af7 100644
> > --- a/drivers/usb/core/urb.c
> > +++ b/drivers/usb/core/urb.c
> > @@ -187,6 +187,31 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
> >  
> >  /*---*/
> >  
> > +static const int pipetypes[4] = {
> > +   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
> > +};
> > +
> > +/**
> > + * usb_urb_ep_check_type - sanity check of endpoint in the given urb
> > + * @urb: urb to be checked
> > + *
> > + * This performs a light-weight sanity check for the endpoint in the
> > + * given urb.  It returns 0 if the urb contains a valid endpoint, otherwise
> > + * a negative error code.
> > + */
> > +int usb_urb_ep_check_type(const struct urb *urb)
> > +{
> > +   const struct usb_host_endpoint *ep;
> > +
> > +   ep = usb_pipe_endpoint(urb->dev, urb->pipe);
> > +   if (!ep)
> > +   return -EINVAL;
> > +   if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(>desc)])
> > +   return -EINVAL;
> > +   return 0;
> > +}
> > +EXPORT_SYMBOL_GPL(usb_urb_ep_check_type);
> > +
> >  /**
> >   * usb_submit_urb - issue an asynchronous transfer request for an endpoint
> >   * @urb: pointer to the urb describing the request
> > @@ -326,9 +351,6 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
> >   */
> >  int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
> >  {
> > -   static int  pipetypes[4] = {
> > -   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
> > -   };
> > int xfertype, max;
> > struct usb_device   *dev;
> > struct usb_host_endpoint*ep;
> 
> Can you also call usb_urb_ep_check_type() in usb_submit_urb()?

OK, will do that in v2 patch.


thanks,

Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/9] usb: core: Add a helper function to check the validity of EP type in URB

[Greg KH]

On Tue, Oct 10, 2017 at 03:38:11PM +0200, Takashi Iwai wrote:
> This patch adds a new helper function to perform a sanity check of the
> given URB to see whether it contains a valid endpoint.  It's a light-
> weight version of what usb_submit_urb() does, but without the kernel
> warning followed by the stack trace, just returns an error code.
> 
> Especially for a driver that doesn't parse the descriptor but fills
> the URB with the fixed endpoint (e.g. some quirks for non-compliant
> devices), this kind of check is preferable at the probe phase before
> actually submitting the urb.
> 
> Signed-off-by: Takashi Iwai 
> ---
>  drivers/usb/core/urb.c | 28 +---
>  include/linux/usb.h|  2 ++
>  2 files changed, 27 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
> index 47903d510955..580dfaec8af7 100644
> --- a/drivers/usb/core/urb.c
> +++ b/drivers/usb/core/urb.c
> @@ -187,6 +187,31 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
>  
>  /*---*/
>  
> +static const int pipetypes[4] = {
> + PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
> +};
> +
> +/**
> + * usb_urb_ep_check_type - sanity check of endpoint in the given urb
> + * @urb: urb to be checked
> + *
> + * This performs a light-weight sanity check for the endpoint in the
> + * given urb.  It returns 0 if the urb contains a valid endpoint, otherwise
> + * a negative error code.
> + */
> +int usb_urb_ep_check_type(const struct urb *urb)
> +{
> + const struct usb_host_endpoint *ep;
> +
> + ep = usb_pipe_endpoint(urb->dev, urb->pipe);
> + if (!ep)
> + return -EINVAL;
> + if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(>desc)])
> + return -EINVAL;
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(usb_urb_ep_check_type);
> +
>  /**
>   * usb_submit_urb - issue an asynchronous transfer request for an endpoint
>   * @urb: pointer to the urb describing the request
> @@ -326,9 +351,6 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
>   */
>  int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
>  {
> - static int  pipetypes[4] = {
> - PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
> - };
>   int xfertype, max;
>   struct usb_device   *dev;
>   struct usb_host_endpoint*ep;

Can you also call usb_urb_ep_check_type() in usb_submit_urb()?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] usb: typec: tcpm: reset the port on removal

[Heikki Krogerus]

If a port is unregistered, all the devices attached to it
must be unregistered as well. This will also make sure VBUS
and VCONN are disabled.

Signed-off-by: Heikki Krogerus 
---
 drivers/usb/typec/tcpm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/typec/tcpm.c b/drivers/usb/typec/tcpm.c
index ffc26a3294e6..2a1656df62a8 100644
--- a/drivers/usb/typec/tcpm.c
+++ b/drivers/usb/typec/tcpm.c
@@ -3602,6 +3602,7 @@ void tcpm_unregister_port(struct tcpm_port *port)
 {
int i;
 
+   tcpm_reset_port(port);
for (i = 0; i < ARRAY_SIZE(port->port_altmode); i++)
typec_unregister_altmode(port->port_altmode[i]);
typec_unregister_port(port->typec_port);
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: linux-stable 4.11.y – xhci probe failed because of missing patches

[Greg KH]

On Tue, Oct 10, 2017 at 02:50:48PM +0700, Tung Vuong Nguyen wrote:
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
> for the sole use of the intended recipient(s) and contains information that 
> is confidential and proprietary to Applied Micro Circuits Corporation or 
> its subsidiaries. It is to be used solely for the purpose of furthering the 
> parties' business relationship. All unauthorized review, use, disclosure or 
> distribution is prohibited. If you are not the intended recipient, please 
> contact the sender by reply e-mail and destroy all copies of the original 
> message.

oops, should have deleted my previous email.  I've now deleted yours, as
I should not ever respond to emails with footers like this :(
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: linux-stable 4.11.y – xhci probe failed because of missing patches

[Greg KH]

On Tue, Oct 10, 2017 at 02:50:48PM +0700, Tung Vuong Nguyen wrote:
> Hi everyone,
> 
> Since kernel 4.11, there are a list of patches from Sriram (refer
> https://lkml.org/lkml/2016/11/10/51) that change the way DMA is
> inherited from sysdev. They have been accepted and available in
> torvalds/linux.git already. Below are list the patches:

4.11 is long end-of-life, why are you still using it?  Is this an issue
with either the 4.9 or 4.13 stable kernels?

4.11 also has other major issues, I'd stay away from it, unless you like
running insecure systems :)

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/9] sound: Add sanity checks for invalid EPs

[Takashi Iwai]

Hi,

this is a patchset to cover the codes that may submit URBs containing
invalid EPs without validation, which result in the kernel warning
from the USB core.  The first patch adds a new helper for simplifying
the EP check, and the rest applies it at needed places.

USB devs: could you check the first patch?  I tried
usb_find_common_endpoints() and friends at first, but it made the code
more complex in the end, because we're dealing with the fixed
endpoints and the validation is required for them.

The original issues were spotted by syzkaller, and I put a few others
for covering more similar cases.

thanks,

Takashi

===

Takashi Iwai (9):
  usb: core: Add a helper function to check the validity of EP type in
URB
  ALSA: bcd2000: Add a sanity check for invalid EPs
  ALSA: caiaq: Add a sanity check for invalid EPs
  ALSA: line6: Add a sanity check for invalid EPs
  ALSA: usb-audio: Add sanity checks for invalid EPs
  ALSA: usx2y: Add sanity checks for invalid EPs
  ALSA: hiface: Add sanity checks for invalid EPs
  ALSA: caiaq: Add yet more sanity checks for invalid EPs
  ALSA: line6: Add yet more sanity checks for invalid EPs

 drivers/usb/core/urb.c  | 28 +---
 include/linux/usb.h |  2 ++
 sound/usb/bcd2000/bcd2000.c |  7 +++
 sound/usb/caiaq/device.c|  7 +++
 sound/usb/caiaq/input.c |  9 +
 sound/usb/hiface/pcm.c  |  9 +++--
 sound/usb/line6/driver.c| 30 ++
 sound/usb/line6/midi.c  | 17 +++--
 sound/usb/midi.c| 38 ++
 sound/usb/usx2y/usbusx2y.c  |  8 
 sound/usb/usx2y/usbusx2yaudio.c |  3 +++
 11 files changed, 131 insertions(+), 27 deletions(-)

-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 7/9] ALSA: hiface: Add sanity checks for invalid EPs

[Takashi Iwai]

hiface usb-audio driver sets up URBs containing the fixed endpoints
without validation.  This may end up with an oops-like kernel warning
when submitted.

For avoiding it, this patch adds the calls of the new sanity-check
helper for URBs.

Signed-off-by: Takashi Iwai 
---
 sound/usb/hiface/pcm.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
index 175d8d6b7f59..396c317115b1 100644
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -541,6 +541,8 @@ static int hiface_pcm_init_urb(struct pcm_urb *urb,
usb_fill_bulk_urb(>instance, chip->dev,
  usb_sndbulkpipe(chip->dev, ep), (void *)urb->buffer,
  PCM_PACKET_SIZE, handler, urb);
+   if (usb_urb_ep_type_check(>instance))
+   return -EINVAL;
init_usb_anchor(>submitted);
 
return 0;
@@ -599,9 +601,12 @@ int hiface_pcm_init(struct hiface_chip *chip, u8 
extra_freq)
mutex_init(>stream_mutex);
spin_lock_init(>playback.lock);
 
-   for (i = 0; i < PCM_N_URBS; i++)
-   hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
+   for (i = 0; i < PCM_N_URBS; i++) {
+   ret = hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
hiface_pcm_out_urb_handler);
+   if (ret < 0)
+   return ret;
+   }
 
ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, );
if (ret < 0) {
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 5/9] ALSA: usb-audio: Add sanity checks for invalid EPs

[Takashi Iwai]

USB-audio driver may set up a URB containing the fixed EP without
validating its presence for some non-class-compliant devices.  This
may end up with an oops-like kernel warning when submitted.

For avoiding it, this patch adds the call of the new sanity-check
helper for URBs.  The checks are needed only for MIDI I/O as the other
places have already some other checks.

Signed-off-by: Takashi Iwai 
---
 sound/usb/midi.c | 38 ++
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index a92e2b2a91ec..7ab25de5ca0a 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1282,6 +1282,7 @@ static int snd_usbmidi_in_endpoint_create(struct 
snd_usb_midi *umidi,
unsigned int pipe;
int length;
unsigned int i;
+   int err;
 
rep->in = NULL;
ep = kzalloc(sizeof(*ep), GFP_KERNEL);
@@ -1292,8 +1293,8 @@ static int snd_usbmidi_in_endpoint_create(struct 
snd_usb_midi *umidi,
for (i = 0; i < INPUT_URBS; ++i) {
ep->urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
if (!ep->urbs[i]) {
-   snd_usbmidi_in_endpoint_delete(ep);
-   return -ENOMEM;
+   err = -ENOMEM;
+   goto error;
}
}
if (ep_info->in_interval)
@@ -1305,8 +1306,8 @@ static int snd_usbmidi_in_endpoint_create(struct 
snd_usb_midi *umidi,
buffer = usb_alloc_coherent(umidi->dev, length, GFP_KERNEL,
>urbs[i]->transfer_dma);
if (!buffer) {
-   snd_usbmidi_in_endpoint_delete(ep);
-   return -ENOMEM;
+   err = -ENOMEM;
+   goto error;
}
if (ep_info->in_interval)
usb_fill_int_urb(ep->urbs[i], umidi->dev,
@@ -1318,10 +1319,20 @@ static int snd_usbmidi_in_endpoint_create(struct 
snd_usb_midi *umidi,
  pipe, buffer, length,
  snd_usbmidi_in_urb_complete, ep);
ep->urbs[i]->transfer_flags = URB_NO_TRANSFER_DMA_MAP;
+   err = usb_urb_ep_type_check(ep->urbs[i]);
+   if (err < 0) {
+   dev_err(>dev->dev, "invalid MIDI in EP %x\n",
+   ep_info->in_ep);
+   goto error;
+   }
}
 
rep->in = ep;
return 0;
+
+ error:
+   snd_usbmidi_in_endpoint_delete(ep);
+   return -ENOMEM;
 }
 
 /*
@@ -1357,6 +1368,7 @@ static int snd_usbmidi_out_endpoint_create(struct 
snd_usb_midi *umidi,
unsigned int i;
unsigned int pipe;
void *buffer;
+   int err;
 
rep->out = NULL;
ep = kzalloc(sizeof(*ep), GFP_KERNEL);
@@ -1367,8 +1379,8 @@ static int snd_usbmidi_out_endpoint_create(struct 
snd_usb_midi *umidi,
for (i = 0; i < OUTPUT_URBS; ++i) {
ep->urbs[i].urb = usb_alloc_urb(0, GFP_KERNEL);
if (!ep->urbs[i].urb) {
-   snd_usbmidi_out_endpoint_delete(ep);
-   return -ENOMEM;
+   err = -ENOMEM;
+   goto error;
}
ep->urbs[i].ep = ep;
}
@@ -1406,8 +1418,8 @@ static int snd_usbmidi_out_endpoint_create(struct 
snd_usb_midi *umidi,
ep->max_transfer, GFP_KERNEL,
>urbs[i].urb->transfer_dma);
if (!buffer) {
-   snd_usbmidi_out_endpoint_delete(ep);
-   return -ENOMEM;
+   err = -ENOMEM;
+   goto error;
}
if (ep_info->out_interval)
usb_fill_int_urb(ep->urbs[i].urb, umidi->dev,
@@ -1419,6 +1431,12 @@ static int snd_usbmidi_out_endpoint_create(struct 
snd_usb_midi *umidi,
  pipe, buffer, ep->max_transfer,
  snd_usbmidi_out_urb_complete,
  >urbs[i]);
+   err = usb_urb_ep_type_check(ep->urbs[i].urb);
+   if (err < 0) {
+   dev_err(>dev->dev, "invalid MIDI out EP %x\n",
+   ep_info->out_ep);
+   goto error;
+   }
ep->urbs[i].urb->transfer_flags = URB_NO_TRANSFER_DMA_MAP;
}
 
@@ -1437,6 +1455,10 @@ static int snd_usbmidi_out_endpoint_create(struct 
snd_usb_midi *umidi,
 
rep->out = ep;
return 0;
+
+ error:
+   snd_usbmidi_out_endpoint_delete(ep);
+   return err;
 }
 
 /*
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org

[PATCH 2/9] ALSA: bcd2000: Add a sanity check for invalid EPs

[Takashi Iwai]

As syzkaller spotted, currently bcd2000 driver submits a URB with the
fixed EP without checking whether it's actually available, which may
result in a kernel warning like:
  usb 1-1: BOGUS urb xfer, pipe 1 != type 3
  [ cut here ]
  WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
  usb_submit_urb+0xf8a/0x11d0
  Modules linked in:
  CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
  4.14.0-rc2-42613-g1488251d1a98 #238
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
   bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
   bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   

This patch adds a sanity check of validity of EPs at the device
initialization phase for avoiding the call with an invalid EP.

Reported-by: Andrey Konovalov 
Signed-off-by: Takashi Iwai 
---
 sound/usb/bcd2000/bcd2000.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c
index 7371e5b06035..a6408209d7f1 100644
--- a/sound/usb/bcd2000/bcd2000.c
+++ b/sound/usb/bcd2000/bcd2000.c
@@ -342,6 +342,13 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
bcd2k->midi_out_buf, BUFSIZE,
bcd2000_output_complete, bcd2k, 1);
 
+   /* sanity checks of EPs before actually submitting */
+   if (usb_urb_ep_type_check(bcd2k->midi_in_urb) ||
+   usb_urb_ep_type_check(bcd2k->midi_out_urb)) {
+   dev_err(>dev->dev, "invalid MIDI EP\n");
+   return -EINVAL;
+   }
+
bcd2000_init_device(bcd2k);
 
return 0;
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 9/9] ALSA: line6: Add yet more sanity checks for invalid EPs

[Takashi Iwai]

There are a few other places calling usb_submit_urb() with the URB
composed from the fixed endpoint without validation.  For avoiding the
spurious kernel warnings, add the sanity checks to appropriate
places.

Signed-off-by: Takashi Iwai 
---
 sound/usb/line6/driver.c | 23 +++
 sound/usb/line6/midi.c   | 17 +++--
 2 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
index 167aebf8276e..8d5a454842f4 100644
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -175,17 +175,24 @@ static int line6_send_raw_message_async_part(struct 
message *msg,
}
 
msg->done += bytes;
-   retval = usb_submit_urb(urb, GFP_ATOMIC);
 
-   if (retval < 0) {
-   dev_err(line6->ifcdev, "%s: usb_submit_urb failed (%d)\n",
-   __func__, retval);
-   usb_free_urb(urb);
-   kfree(msg);
-   return retval;
-   }
+   /* sanity checks of EP before actually submitting */
+   retval = usb_urb_ep_type_check(urb);
+   if (retval < 0)
+   goto error;
+
+   retval = usb_submit_urb(urb, GFP_ATOMIC);
+   if (retval < 0)
+   goto error;
 
return 0;
+
+ error:
+   dev_err(line6->ifcdev, "%s: usb_submit_urb failed (%d)\n",
+   __func__, retval);
+   usb_free_urb(urb);
+   kfree(msg);
+   return retval;
 }
 
 /*
diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
index 1d3a23b02d68..6d7cde56a355 100644
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -130,16 +130,21 @@ static int send_midi_async(struct usb_line6 *line6, 
unsigned char *data,
 transfer_buffer, length, midi_sent, line6,
 line6->interval);
urb->actual_length = 0;
-   retval = usb_submit_urb(urb, GFP_ATOMIC);
+   retval = usb_urb_ep_type_check(urb);
+   if (retval < 0)
+   goto error;
 
-   if (retval < 0) {
-   dev_err(line6->ifcdev, "usb_submit_urb failed\n");
-   usb_free_urb(urb);
-   return retval;
-   }
+   retval = usb_submit_urb(urb, GFP_ATOMIC);
+   if (retval < 0)
+   goto error;
 
++line6->line6midi->num_active_send_urbs;
return 0;
+
+ error:
+   dev_err(line6->ifcdev, "usb_submit_urb failed\n");
+   usb_free_urb(urb);
+   return retval;
 }
 
 static int line6_midi_output_open(struct snd_rawmidi_substream *substream)
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 8/9] ALSA: caiaq: Add yet more sanity checks for invalid EPs

[Takashi Iwai]

A few other places in caiaq driver have the URB handling with the
fixed endpoints without checking the validity, too.  Add the sanity
check with the new helper function at each appropriate place for
avoiding the spurious kernel warnings due to invalid EPs.

Signed-off-by: Takashi Iwai 
---
 sound/usb/caiaq/input.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/sound/usb/caiaq/input.c b/sound/usb/caiaq/input.c
index 4b3fb91deecd..e883659ea6e7 100644
--- a/sound/usb/caiaq/input.c
+++ b/sound/usb/caiaq/input.c
@@ -718,6 +718,9 @@ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev)
  usb_rcvbulkpipe(usb_dev, 0x4),
  cdev->ep4_in_buf, EP4_BUFSIZE,
  snd_usb_caiaq_ep4_reply_dispatch, cdev);
+   ret = usb_urb_ep_type_check(cdev->ep4_in_urb);
+   if (ret < 0)
+   goto exit_free_idev;
 
snd_usb_caiaq_set_auto_msg(cdev, 1, 10, 5);
 
@@ -757,6 +760,9 @@ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev)
  usb_rcvbulkpipe(usb_dev, 0x4),
  cdev->ep4_in_buf, EP4_BUFSIZE,
  snd_usb_caiaq_ep4_reply_dispatch, cdev);
+   ret = usb_urb_ep_type_check(cdev->ep4_in_urb);
+   if (ret < 0)
+   goto exit_free_idev;
 
snd_usb_caiaq_set_auto_msg(cdev, 1, 10, 5);
 
@@ -802,6 +808,9 @@ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev)
  usb_rcvbulkpipe(usb_dev, 0x4),
  cdev->ep4_in_buf, EP4_BUFSIZE,
  snd_usb_caiaq_ep4_reply_dispatch, cdev);
+   ret = usb_urb_ep_type_check(cdev->ep4_in_urb);
+   if (ret < 0)
+   goto exit_free_idev;
 
snd_usb_caiaq_set_auto_msg(cdev, 1, 10, 5);
break;
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 6/9] ALSA: usx2y: Add sanity checks for invalid EPs

[Takashi Iwai]

usx2y driver sets up URBs containing the fixed endpoints without
validation.  This may end up with an oops-like kernel warning when
submitted.

For avoiding it, this patch adds the calls of the new sanity-check
helper for URBs.

Signed-off-by: Takashi Iwai 
---
 sound/usb/usx2y/usbusx2y.c  | 8 
 sound/usb/usx2y/usbusx2yaudio.c | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index 4569c0efac0a..55a631ccfa25 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -244,6 +244,9 @@ static void i_usX2Y_In04Int(struct urb *urb)
  
usb_sndbulkpipe(usX2Y->dev, 0x04), >val.vol,
  p4out->type 
== eLT_Light ? sizeof(struct us428_lights) : 5,
  
i_usX2Y_Out04Int, usX2Y);
+   err = 
usb_urb_ep_type_check(usX2Y->AS04.urb[j]);
+   if (err < 0)
+   break;
err = 
usb_submit_urb(usX2Y->AS04.urb[j], GFP_ATOMIC);
us428ctls->p4outSent = send;
break;
@@ -279,6 +282,9 @@ int usX2Y_AsyncSeq04_init(struct usX2Ydev *usX2Y)
usX2Y->AS04.buffer + 
URB_DataLen_AsyncSeq*i, 0,
i_usX2Y_Out04Int, usX2Y
);
+   err = usb_urb_ep_type_check(usX2Y->AS04.urb[i]);
+   if (err < 0)
+   break;
}
return err;
 }
@@ -298,6 +304,8 @@ int usX2Y_In04_init(struct usX2Ydev *usX2Y)
 usX2Y->In04Buf, 21,
 i_usX2Y_In04Int, usX2Y,
 10);
+   if (usb_urb_ep_type_check(usX2Y->In04urb))
+   return -EINVAL;
return usb_submit_urb(usX2Y->In04urb, GFP_KERNEL);
 }
 
diff --git a/sound/usb/usx2y/usbusx2yaudio.c b/sound/usb/usx2y/usbusx2yaudio.c
index f93b355756e6..345e439aa95b 100644
--- a/sound/usb/usx2y/usbusx2yaudio.c
+++ b/sound/usb/usx2y/usbusx2yaudio.c
@@ -677,6 +677,9 @@ static int usX2Y_rate_set(struct usX2Ydev *usX2Y, int rate)
usb_fill_bulk_urb(us->urb[i], usX2Y->dev, 
usb_sndbulkpipe(usX2Y->dev, 4),
  usbdata + i, 2, i_usX2Y_04Int, usX2Y);
}
+   err = usb_urb_ep_type_check(us->urb[0]);
+   if (err < 0)
+   goto cleanup;
us->submitted = 0;
us->len =   NOOF_SETRATE_URBS;
usX2Y->US04 =   us;
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 4/9] ALSA: line6: Add a sanity check for invalid EPs

[Takashi Iwai]

As syzkaller spotted, currently line6 drivers submit a URB with the
fixed EP without checking whether it's actually available, which may
result in a kernel warning like:
  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
  [ cut here ]
  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449
  usb_submit_urb+0xf8a/0x11d0
  Modules linked in:
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 
#238
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82
   line6_init_cap_control sound/usb/line6/driver.c:690
   line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764
   podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   

This patch adds a sanity check of validity of EPs at the device
initialization phase for avoiding the call with an invalid EP.

Reported-by: Andrey Konovalov 
Cc: 
Signed-off-by: Takashi Iwai 
---
 sound/usb/line6/driver.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
index c8f723c3a033..167aebf8276e 100644
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -78,6 +78,13 @@ static int line6_start_listen(struct usb_line6 *line6)
line6->buffer_listen, LINE6_BUFSIZE_LISTEN,
line6_data_received, line6);
}
+
+   /* sanity checks of EP before actually submitting */
+   if (usb_urb_ep_type_check(line6->urb_listen)) {
+   dev_err(line6->ifcdev, "invalid control EP\n");
+   return -EINVAL;
+   }
+
line6->urb_listen->actual_length = 0;
err = usb_submit_urb(line6->urb_listen, GFP_ATOMIC);
return err;
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/9] ALSA: caiaq: Add a sanity check for invalid EPs

[Takashi Iwai]

As syzkaller spotted, currently caiaq driver submits a URB with the
fixed EP without checking whether it's actually available, which may
result in a kernel warning like:
  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
  [ cut here ]
  WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449
  usb_submit_urb+0xf8a/0x11d0
  Modules linked in:
  CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
  4.14.0-rc2-42660-g24b7bd59eec0 #277
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   init_card sound/usb/caiaq/device.c:467
   snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   

This patch adds a sanity check of validity of EPs at the device
initialization phase for avoiding the call with an invalid EP.

Reported-by: Andrey Konovalov 
Signed-off-by: Takashi Iwai 
---
 sound/usb/caiaq/device.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 0fb6b1b79261..a29674bf96e5 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -461,6 +461,13 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
  cdev->midi_out_buf, EP1_BUFSIZE,
  snd_usb_caiaq_midi_output_done, cdev);
 
+   /* sanity checks of EPs before actually submitting */
+   if (usb_urb_ep_type_check(>ep1_in_urb) ||
+   usb_urb_ep_type_check(>midi_out_urb)) {
+   dev_err(dev, "invalid EPs\n");
+   return -EINVAL;
+   }
+
init_waitqueue_head(>ep1_wait_queue);
init_waitqueue_head(>prepare_wait_queue);
 
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/9] usb: core: Add a helper function to check the validity of EP type in URB

[Takashi Iwai]

This patch adds a new helper function to perform a sanity check of the
given URB to see whether it contains a valid endpoint.  It's a light-
weight version of what usb_submit_urb() does, but without the kernel
warning followed by the stack trace, just returns an error code.

Especially for a driver that doesn't parse the descriptor but fills
the URB with the fixed endpoint (e.g. some quirks for non-compliant
devices), this kind of check is preferable at the probe phase before
actually submitting the urb.

Signed-off-by: Takashi Iwai 
---
 drivers/usb/core/urb.c | 28 +---
 include/linux/usb.h|  2 ++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
index 47903d510955..580dfaec8af7 100644
--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -187,6 +187,31 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
 
 /*---*/
 
+static const int pipetypes[4] = {
+   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
+};
+
+/**
+ * usb_urb_ep_check_type - sanity check of endpoint in the given urb
+ * @urb: urb to be checked
+ *
+ * This performs a light-weight sanity check for the endpoint in the
+ * given urb.  It returns 0 if the urb contains a valid endpoint, otherwise
+ * a negative error code.
+ */
+int usb_urb_ep_check_type(const struct urb *urb)
+{
+   const struct usb_host_endpoint *ep;
+
+   ep = usb_pipe_endpoint(urb->dev, urb->pipe);
+   if (!ep)
+   return -EINVAL;
+   if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(>desc)])
+   return -EINVAL;
+   return 0;
+}
+EXPORT_SYMBOL_GPL(usb_urb_ep_check_type);
+
 /**
  * usb_submit_urb - issue an asynchronous transfer request for an endpoint
  * @urb: pointer to the urb describing the request
@@ -326,9 +351,6 @@ EXPORT_SYMBOL_GPL(usb_unanchor_urb);
  */
 int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
 {
-   static int  pipetypes[4] = {
-   PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
-   };
int xfertype, max;
struct usb_device   *dev;
struct usb_host_endpoint*ep;
diff --git a/include/linux/usb.h b/include/linux/usb.h
index cb9fbd54386e..2b861804fffa 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1728,6 +1728,8 @@ static inline int usb_urb_dir_out(struct urb *urb)
return (urb->transfer_flags & URB_DIR_MASK) == URB_DIR_OUT;
 }
 
+int usb_urb_ep_type_check(const struct urb *urb);
+
 void *usb_alloc_coherent(struct usb_device *dev, size_t size,
gfp_t mem_flags, dma_addr_t *dma);
 void usb_free_coherent(struct usb_device *dev, size_t size,
-- 
2.14.2

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

usb/net/asix: null-ptr-deref in asix_suspend

[Andrey Konovalov]

Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).

It seems that priv ends up being NULL.

usb 1-1: New USB device found, idVendor=0557, idProduct=2009
usb 1-1: New USB device strings: Mfr=204, Product=1, SerialNumber=0
usb 1-1: Product: a
usb 1-1: Manufacturer: a
gadgetfs: configuration #4
hub 1-1:4.2: bad descriptor, ignoring hub
hub: probe of 1-1:4.2 failed with error -5
asix 1-1:4.2 (unnamed net_device) (uninitialized): Failed to read reg
index 0x: -75
asix 1-1:4.2 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX8817x
USB 2.0 Ethernet, 08:d1:8e:63:00:88
asix 1-1:4.185 eth2: register 'asix' at usb-dummy_hcd.0-1, ASIX
AX8817x USB 2.0 Ethernet, 08:8f:0a:63:00:88
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc4-43422-geccacdd69a8c #400
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006bb36300 task.stack: 88006bba8000
RIP: 0010:asix_suspend+0x76/0xc0 drivers/net/usb/asix_devices.c:629
RSP: 0018:88006bbae718 EFLAGS: 00010202
RAX: dc00 RBX: 880061ba3b80 RCX: 11000c34d644
RDX: 0001 RSI: 0402 RDI: 0008
RBP: 88006bbae738 R08: 11000d775cad R09: 
R10:  R11:  R12: 8800630a8b40
R13:  R14: 0402 R15: 880061ba3b80
FS:  () GS:88006c60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7ff33cf89000 CR3: 61c0a000 CR4: 06f0
Call Trace:
 usb_suspend_interface drivers/usb/core/driver.c:1209
 usb_suspend_both+0x27f/0x7e0 drivers/usb/core/driver.c:1314
 usb_runtime_suspend+0x41/0x120 drivers/usb/core/driver.c:1852
 __rpm_callback+0x339/0xb60 drivers/base/power/runtime.c:334
 rpm_callback+0x106/0x220 drivers/base/power/runtime.c:461
 rpm_suspend+0x465/0x1980 drivers/base/power/runtime.c:596
 __pm_runtime_suspend+0x11e/0x230 drivers/base/power/runtime.c:1009
 pm_runtime_put_sync_autosuspend ./include/linux/pm_runtime.h:251
 usb_new_device+0xa37/0x1020 drivers/usb/core/hub.c:2487
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 8d 7c 24 20 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5b 48 b8 00 00
00 00 00 fc ff df 4d 8b 6c 24 20 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80>
3c 02 00 75 34 4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c
RIP: asix_suspend+0x76/0xc0 RSP: 88006bbae718
---[ end trace dfc4f5649284342c ]---
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: linux-stable 4.11.y – xhci probe failed because of missing patches

[Mathias Nyman]

On 10.10.2017 10:50, Tung Vuong Nguyen wrote:

Hi everyone,

Since kernel 4.11, there are a list of patches from Sriram (refer
https://lkml.org/lkml/2016/11/10/51) that change the way DMA is
inherited from sysdev. They have been accepted and available in
torvalds/linux.git already. Below are list the patches:

d64ff406e5("usb: dwc3: use bus->sysdev for DMA configuration")
8c9f2de459("usb: dwc3: Do not set dma coherent mask")
a8c06e407e("usb: separate out sysdev pointer from usb_bus")
aeb78cda51("usb: chipidea: use bus->sysdev for DMA configuration")
8123e4953f("usb: ehci: fsl: use bus->sysdev for DMA configuration")
4c39d4b949("usb: xhci: use bus->sysdev for DMA configuration")
c6b8e79306("usb: host: xhci-plat: allow sysdev to inherit from ACPI")

They should all come together.

However, in linux-stable at linux-4.11.y branch, only 2 first above
patches are included. This causes the XHCI driver is fail to probe
with below kernel message:
[7.859145] xhci-hcd: probe of xhci-hcd.0.auto failed with error -5

This causes OSes such as CentOS 7.4 which uses kernel 4.11 have USB
XHCI driver fails to work.



True, the first two dwc3 patches were accepted to (4.10).
The rest, including the xhci change got into 4.12 or later
So basically 4.11.y stable will have broken dwc3 xhci host part.

In addition to those we probably need these two as well:
bde654a55adc usb: hcd: use correct device pointer for dma ops
8b373ffc7977 usb: ehci: use bus->sysdev for DMA configuration

So complete list for 4.11.y stable would be:

a8c06e407ef9 usb: separate out sysdev pointer from usb_bus
aeb78cda5100 usb: chipidea: use bus->sysdev for DMA configuration
8123e4953fe6 usb: ehci: fsl: use bus->sysdev for DMA configuration
4c39d4b949d3 usb: xhci: use bus->sysdev for DMA configuration
8b373ffc7977 usb: ehci: use bus->sysdev for DMA configuration
bde654a55adc usb: hcd: use correct device pointer for dma ops
c6b8e79306f5 usb: host: xhci-plat: allow sysdev to inherit from ACPI

If you agree I can sent that list to stable

-Mathias
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: dwc2 - ChHltd set, but reason is unknown

[Anders Montonen]

Hi,

On Mon, 9 Oct 2017, Minas Harutyunyan wrote:

On 10/9/2017 5:15 PM, Anders Montonen wrote:



We have a custom Altera Cyclone V SoCFPGA board, where connecting a
particular brand of USB memory sticks produces and enless stream of
console errors messages until it is removed from the system.

Could you please provide log with enabled VERBOSE debug messages.


I uploaded a log to .

Regards,
Anders
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] HID: usbhid: fix out-of-bounds bug

[Andrey Konovalov]

On Tue, Oct 10, 2017 at 9:25 AM, Jaejoong Kim  wrote:
> Hi,
>
> To. Jiri, Alan,
>
> Could you please review this patch?
>
> To. Andey,
>
> Could you please test with this patch for KASAN OOB error?

Hi!

Yes, your patch fixes the issue.

Thanks!

Tested-by: Andrey Konovalov 

>
> Thanks, jaejoong
>
> 2017-09-28 19:16 GMT+09:00 Jaejoong Kim :
>> The hid descriptor identifies the length and type of subordinate
>> descriptors for a device. If the received hid descriptor is smaller than
>> the size of the struct hid_descriptor, it is possible to cause
>> out-of-bounds.
>>
>> In addition, if bNumDescriptors of the hid descriptor have an incorrect
>> value, this can also cause out-of-bounds while approaching hdesc->desc[n].
>>
>> So check the size of hid descriptor and bNumDescriptors.
>>
>> BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
>> Read of size 1 at addr 88006c5f8edf by task kworker/1:2/1261
>>
>> CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
>> 4.14.0-rc1-42251-gebb2c2437d80 #169
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
>> 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> Call Trace:
>> __dump_stack lib/dump_stack.c:16
>> dump_stack+0x292/0x395 lib/dump_stack.c:52
>> print_address_description+0x78/0x280 mm/kasan/report.c:252
>> kasan_report_error mm/kasan/report.c:351
>> kasan_report+0x22f/0x340 mm/kasan/report.c:409
>> __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
>> usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
>> hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
>> usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
>> usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>> really_probe drivers/base/dd.c:413
>> driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>> __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>> bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>> __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>> device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>> bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>> device_add+0xd0b/0x1660 drivers/base/core.c:1835
>> usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
>> generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
>> usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
>> really_probe drivers/base/dd.c:413
>> driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>> __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>> bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>> __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>> device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>> bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>> device_add+0xd0b/0x1660 drivers/base/core.c:1835
>> usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
>> hub_port_connect drivers/usb/core/hub.c:4903
>> hub_port_connect_change drivers/usb/core/hub.c:5009
>> port_event drivers/usb/core/hub.c:5115
>> hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
>> process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
>> worker_thread+0x221/0x1850 kernel/workqueue.c:2253
>> kthread+0x3a1/0x470 kernel/kthread.c:231
>> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>>
>> Reported-by: Andrey Konovalov 
>> Signed-off-by: Jaejoong Kim 
>> ---
>>
>> Changes in v2:
>> - write a new commit message because orginal version is wrong approach
>> - add check hid descriptor size
>> - get proper value for bNumDescriptors as suggested by Alan Stern
>> - fix the Reported-by
>>
>>  drivers/hid/usbhid/hid-core.c | 12 +++-
>>  1 file changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
>> index 089bad8..045b5da 100644
>> --- a/drivers/hid/usbhid/hid-core.c
>> +++ b/drivers/hid/usbhid/hid-core.c
>> @@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_device *hid)
>> unsigned int rsize = 0;
>> char *rdesc;
>> int ret, n;
>> +   int num_descriptors;
>> +   size_t offset = offsetof(struct hid_descriptor, desc);
>>
>> quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
>> le16_to_cpu(dev->descriptor.idProduct));
>> @@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_device *hid)
>> return -ENODEV;
>> }
>>
>> +   if (hdesc->bLength < sizeof(struct hid_descriptor)) {
>> +   dbg_hid("hid descriptor is too short\n");
>> +   return -EINVAL;
>> +   }
>> +
>>  

RE: [PATCH v2] extcon: Split out extcon header file for consumer and provider device

[Yoshihiro Shimoda]

Hi,

> From: Chanwoo Choi, Sent: Tuesday, October 10, 2017 7:18 PM
> 
> The extcon has two type of extcon devices as following.
> - 'extcon provider deivce' adds new extcon device and detect the
>state/properties of external connector. Also, it notifies the
>state/properties to the extcon consumer device.
> - 'extcon consumer device' gets the change state/properties
>from extcon provider device.
> Prior to that, include/linux/extcon.h contains all exported API for
> both provider and consumer device driver. To clarify the meaning of
> header file and to remove the wrong use-case on consumer device,
> this patch separates into extcon.h and extcon-provider.h.
> 
> [Description for include/linux/{extcon.h|extcon-provider.h}]
> - extcon.h includes the extcon API and data structure for extcon consumer
>   device driver. This header file contains the following APIs:
>   : Register/unregister the notifier to catch the change of extcon device
>   : Get the extcon device instance
>   : Get the extcon device name
>   : Get the state of each external connector
>   : Get the property value of each external connector
>   : Get the property capability of each external connector
> 
> - extcon-provider.h includes the extcon API and data structure for extcon
>   provider device driver. This header file contains the following APIs:
>   : Include 'include/linux/extcon.h'
>   : Allocate the memory for extcon device instance
>   : Register/unregister extcon device
>   : Set the state of each external connector
>   : Set the property value of each external connector
>   : Set the property capability of each external connector
> 
> Cc: Felipe Balbi 
> Cc: Kishon Vijay Abraham I 
> Cc: Greg Kroah-Hartman 
> Acked-by: Sebastian Reichel 
> Acked-by: Chen-Yu Tsai 
> Acked-by: Charles Keepax 
> Acked-by: Lee Jones 
> Signed-off-by: Chanwoo Choi 
> ---
> Changes from v1:
> - Don't touch drivers/usb/renesas_usbhs/common.h.
> - Add acked-by from Sebastian Reichel (for drivers/power/supply/)
> - Add acked-by from Chen-Yu Tsai (for phy-sun4i-usb.c & extcon-axp288.c)
> - Add acked-by from Charles Keepax (for drivers/extcon/extcon-arizona.c)
> - Add acked-by from Lee Jones (fo include/linux/mfd/palmas.h)
< snip >
>  drivers/phy/renesas/phy-rcar-gen3-usb2.c  |   2 +-

and

< snip >
>  drivers/usb/gadget/udc/renesas_usb3.c |   2 +-

Acked-by: Yoshihiro Shimoda 

Best regards,
Yoshihiro Shimoda

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] extcon: Split out extcon header file for consumer and provider device

[Felipe Balbi]

Hi,

Chanwoo Choi  writes:
> The extcon has two type of extcon devices as following.
> - 'extcon provider deivce' adds new extcon device and detect the
>state/properties of external connector. Also, it notifies the
>state/properties to the extcon consumer device.
> - 'extcon consumer device' gets the change state/properties
>from extcon provider device.
> Prior to that, include/linux/extcon.h contains all exported API for
> both provider and consumer device driver. To clarify the meaning of
> header file and to remove the wrong use-case on consumer device,
> this patch separates into extcon.h and extcon-provider.h.
>
> [Description for include/linux/{extcon.h|extcon-provider.h}]
> - extcon.h includes the extcon API and data structure for extcon consumer
>   device driver. This header file contains the following APIs:
>   : Register/unregister the notifier to catch the change of extcon device
>   : Get the extcon device instance
>   : Get the extcon device name
>   : Get the state of each external connector
>   : Get the property value of each external connector
>   : Get the property capability of each external connector
>
> - extcon-provider.h includes the extcon API and data structure for extcon
>   provider device driver. This header file contains the following APIs:
>   : Include 'include/linux/extcon.h'
>   : Allocate the memory for extcon device instance
>   : Register/unregister extcon device
>   : Set the state of each external connector
>   : Set the property value of each external connector
>   : Set the property capability of each external connector
>
> Cc: Felipe Balbi 

Acked-by: Felipe Balbi 

-- 
balbi
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] extcon: Split out extcon header file for consumer and provider device

[Chanwoo Choi]

The extcon has two type of extcon devices as following.
- 'extcon provider deivce' adds new extcon device and detect the
   state/properties of external connector. Also, it notifies the
   state/properties to the extcon consumer device.
- 'extcon consumer device' gets the change state/properties
   from extcon provider device.
Prior to that, include/linux/extcon.h contains all exported API for
both provider and consumer device driver. To clarify the meaning of
header file and to remove the wrong use-case on consumer device,
this patch separates into extcon.h and extcon-provider.h.

[Description for include/linux/{extcon.h|extcon-provider.h}]
- extcon.h includes the extcon API and data structure for extcon consumer
  device driver. This header file contains the following APIs:
  : Register/unregister the notifier to catch the change of extcon device
  : Get the extcon device instance
  : Get the extcon device name
  : Get the state of each external connector
  : Get the property value of each external connector
  : Get the property capability of each external connector

- extcon-provider.h includes the extcon API and data structure for extcon
  provider device driver. This header file contains the following APIs:
  : Include 'include/linux/extcon.h'
  : Allocate the memory for extcon device instance
  : Register/unregister extcon device
  : Set the state of each external connector
  : Set the property value of each external connector
  : Set the property capability of each external connector

Cc: Felipe Balbi 
Cc: Kishon Vijay Abraham I 
Cc: Greg Kroah-Hartman 
Acked-by: Sebastian Reichel 
Acked-by: Chen-Yu Tsai 
Acked-by: Charles Keepax 
Acked-by: Lee Jones 
Signed-off-by: Chanwoo Choi 
---
Changes from v1:
- Don't touch drivers/usb/renesas_usbhs/common.h.
- Add acked-by from Sebastian Reichel (for drivers/power/supply/)
- Add acked-by from Chen-Yu Tsai (for phy-sun4i-usb.c & extcon-axp288.c)
- Add acked-by from Charles Keepax (for drivers/extcon/extcon-arizona.c)
- Add acked-by from Lee Jones (fo include/linux/mfd/palmas.h)

 drivers/extcon/extcon-adc-jack.c  |   2 +-
 drivers/extcon/extcon-arizona.c   |   2 +-
 drivers/extcon/extcon-axp288.c|   2 +-
 drivers/extcon/extcon-gpio.c  |   2 +-
 drivers/extcon/extcon-intel-cht-wc.c  |   2 +-
 drivers/extcon/extcon-intel-int3496.c |   2 +-
 drivers/extcon/extcon-max14577.c  |   2 +-
 drivers/extcon/extcon-max3355.c   |   2 +-
 drivers/extcon/extcon-max77693.c  |   2 +-
 drivers/extcon/extcon-max77843.c  |   2 +-
 drivers/extcon/extcon-max8997.c   |   2 +-
 drivers/extcon/extcon-qcom-spmi-misc.c|   2 +-
 drivers/extcon/extcon-rt8973a.c   |   2 +-
 drivers/extcon/extcon-sm5502.c|   2 +-
 drivers/extcon/extcon-usb-gpio.c  |   2 +-
 drivers/extcon/extcon-usbc-cros-ec.c  |   2 +-
 drivers/extcon/extcon.h   |   2 +-
 drivers/phy/allwinner/phy-sun4i-usb.c |   2 +-
 drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c |   2 +-
 drivers/phy/renesas/phy-rcar-gen3-usb2.c  |   2 +-
 drivers/phy/rockchip/phy-rockchip-inno-usb2.c |   2 +-
 drivers/power/supply/qcom_smbb.c  |   2 +-
 drivers/usb/gadget/udc/renesas_usb3.c |   2 +-
 drivers/usb/phy/phy-tahvo.c   |   2 +-
 include/linux/extcon-provider.h   | 142 ++
 include/linux/extcon.h| 109 +---
 include/linux/mfd/palmas.h|   2 +-
 27 files changed, 172 insertions(+), 129 deletions(-)
 create mode 100644 include/linux/extcon-provider.h

diff --git a/drivers/extcon/extcon-adc-jack.c b/drivers/extcon/extcon-adc-jack.c
index 6f6537ab0a79..3877d86c746a 100644
--- a/drivers/extcon/extcon-adc-jack.c
+++ b/drivers/extcon/extcon-adc-jack.c
@@ -26,7 +26,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 
 /**
  * struct adc_jack_data - internal data for adc_jack device driver
diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
index f84da4a17724..da0e9bc4262f 100644
--- a/drivers/extcon/extcon-arizona.c
+++ b/drivers/extcon/extcon-arizona.c
@@ -27,7 +27,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 
 #include 
 
diff --git a/drivers/extcon/extcon-axp288.c b/drivers/extcon/extcon-axp288.c
index f4fd03e58e37..981fba56bc18 100644
--- a/drivers/extcon/extcon-axp288.c
+++ b/drivers/extcon/extcon-axp288.c
@@ -22,7 +22,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 
diff --git a/drivers/extcon/extcon-gpio.c b/drivers/extcon/extcon-gpio.c
index ebed22f22d75..ab770adcca7e 100644
--- a/drivers/extcon/extcon-gpio.c
+++ 

RE: VL805 xHCI DMA read faults

[David Laight]

From: Robin Murphy
> Sent: 09 October 2017 18:39
...
> >  - without the IOMMU, block sizes >=128K all settle down into a
> >suspiciously-periodic error every 2048 sectors.

That stinks of being a problem where either the link TRB is part
way through a USB packet or where a buffer fragment crosses
a 64k boundary.

Neither is allowed.

David

Re: [bugzilla-dae...@bugzilla.kernel.org: [Bug 197159] New: Xhci host controller not responding starting kernel 4.13]

[Mathias Nyman]

On 10.10.2017 02:38, Bjorn Helgaas wrote:

On Mon, Oct 09, 2017 at 10:45:39PM +0200, Mason wrote:

On 09/10/2017 19:01, Bjorn Helgaas wrote:
...



In that thread, Mason reported a regression that looks similar, but as
far as I can tell, we never identified a root cause.

   1) The problem Mason reported was on a Tango platform, which has a
  known hardware issue that corrupts data when simultaneous config
  and MMIO accesses occur.  You're seeing the problem on a
  different platform, which is very helpful.


As mentioned here:
https://www.mail-archive.com/linux-usb@vger.kernel.org/msg94020.html

When I disable the AER driver, not a single config space access
occurs when a USB drive is unplugged. So I'm 99.99% sure that
the issue is NOT caused by tango's bad design. (I got the vibe
that nobody cared about tango's issue because it was assumed
that the design flaw was responsible for it.)


I agree; I don't think this is Tango's fault.

Can you test fe190ed0d602 and d9f11ba9f107 to determine whether
d9f11ba9f107 is the culprit?  If it is the culprit, can you try reverting
it on a current kernel to see if that fixes it?

If d9f11ba9f107 is not the culprit, can you bisect to discover exactly
where it broke?



If possible could the bug reporter add the same WARN is Mason to see
when xhci reads 0x, or if something else triggers xhci_hc_died()

In the Tango case it was the hub thread clearing a port reset change event.

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 82c746e..cd3a420 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -908,6 +908,8 @@ void xhci_hc_died(struct xhci_hcd *xhci)
 {
int i, j;
 
+   WARN_ON(1);

if (xhci->xhc_state & XHCI_STATE_DYING)
return;
 
Thanks

Mathias
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2 v2] typec: tcpm: Validate source and sink caps

[Heikki Krogerus]

Hi,

On Mon, Oct 09, 2017 at 03:13:43PM -0700, Badhri Jagan Sridharan wrote:
> The source and sink caps should follow the following rules.
> This patch validates whether the src_caps/snk_caps adheres
> to it.
> 
> 6.4.1 Capabilities Message
> A Capabilities message (Source Capabilities message or Sink
> Capabilities message) shall have at least one Power
> Data Object for vSafe5V. The Capabilities message shall also
> contain the sending Port???s information followed by up to
> 6 additional Power Data Objects. Power Data Objects in a
> Capabilities message shall be sent in the following order:
> 
> 1. The vSafe5V Fixed Supply Object shall always be the first object.
> 2. The remaining Fixed Supply Objects, if present, shall be sent
>in voltage order; lowest to highest.
> 3. The Battery Supply Objects, if present shall be sent in Minimum
>Voltage order; lowest to highest.
> 4. The Variable Supply (non-battery) Objects, if present, shall be
>sent in Minimum Voltage order; lowest to highest.
> 
> Errors in source/sink_caps of the local port will prevent
> the port registration. Whereas, errors in source caps of partner
> device would only log them.
> 
> Signed-off-by: Badhri Jagan Sridharan 
> ---
> Changelog since v1:
> - Rebased the patch on top of drivers/usb/type/tcpm.c
> - Added duplicate pdo check for variable/batt pdo.
> - Fixed tabs as suggested by dan.carpen...@oracle.com
> 
>  drivers/usb/typec/tcpm.c | 114 
> +++
>  include/linux/usb/pd.h   |   2 +
>  include/linux/usb/tcpm.h |   4 +-
>  3 files changed, 109 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/usb/typec/tcpm.c b/drivers/usb/typec/tcpm.c
> index 8483d3e33853..75deac3ee58d 100644
> --- a/drivers/usb/typec/tcpm.c
> +++ b/drivers/usb/typec/tcpm.c
> @@ -1256,6 +1256,82 @@ static void vdm_state_machine_work(struct work_struct 
> *work)
>   mutex_unlock(>lock);
>  }
>  
> +static int tcpm_validate_caps(struct tcpm_port *port, const u32 *pdo,
> +   unsigned int nr_pdo)
> +{
> + unsigned int i;
> +
> + /* Should at least contain vSafe5v */
> + if (nr_pdo < 1) {
> + tcpm_log_force(port,
> +" err: source/sink caps should atleast have 
> vSafe5V");
> + return -EINVAL;
> + }
> +
> + /* The vSafe5V Fixed Supply Object Shall always be the first object */
> + if (pdo_type(pdo[0]) != PDO_TYPE_FIXED ||
> + pdo_fixed_voltage(pdo[0]) != VSAFE5V) {
> + tcpm_log_force(port,
> +" err: vSafe5V Fixed Supply Object Shall always 
> be the first object");
> + return -EINVAL;
> + }
> +
> + for (i = 1; i < nr_pdo; i++) {
> + if (pdo_type(pdo[i]) < pdo_type(pdo[i - 1])) {
> + tcpm_log_force(port,
> +" err:PDOs should be in the following 
> order: Fixed; Battery; Variable. pdo index:%u"
> +, i);
> + return -EINVAL;
> + } else if (pdo_type(pdo[i]) == pdo_type(pdo[i - 1])) {
> + enum pd_pdo_type type = pdo_type(pdo[i]);
> +
> + switch (type) {
> + /*
> +  * The remaining Fixed Supply Objects, if
> +  * present, shall be sent in voltage order;
> +  * lowest to highest.
> +  */
> + case PDO_TYPE_FIXED:
> + if (pdo_fixed_voltage(pdo[i]) <=
> + pdo_fixed_voltage(pdo[i - 1])) {
> + tcpm_log_force(port,
> +" err: Fixed supply pdos 
> should be in increasing order, pdo index:%u"
> +, i);
> + return -EINVAL;
> + }
> + break;
> + /*
> +  * The Battery Supply Objects and Variable
> +  * supply, if present shall be sent in Minimum
> +  * Voltage order; lowest to highest.
> +  */
> + case PDO_TYPE_VAR:
> + case PDO_TYPE_BATT:
> + if (pdo_min_voltage(pdo[i]) <
> + pdo_min_voltage(pdo[i - 1])) {
> + tcpm_log_force(port,
> +" err: Variable supply 
> pdos should be in increasing order, pdo index:%u"
> +, i);
> + return -EINVAL;
> + } else if ((pdo_min_voltage(pdo[i]) ==
> + pdo_min_voltage(pdo[i - 1])) &&
> +  

linux-stable 4.11.y – xhci probe failed because of missing patches

[Tung Vuong Nguyen]

Hi everyone,

Since kernel 4.11, there are a list of patches from Sriram (refer
https://lkml.org/lkml/2016/11/10/51) that change the way DMA is
inherited from sysdev. They have been accepted and available in
torvalds/linux.git already. Below are list the patches:

d64ff406e5("usb: dwc3: use bus->sysdev for DMA configuration")
8c9f2de459("usb: dwc3: Do not set dma coherent mask")
a8c06e407e("usb: separate out sysdev pointer from usb_bus")
aeb78cda51("usb: chipidea: use bus->sysdev for DMA configuration")
8123e4953f("usb: ehci: fsl: use bus->sysdev for DMA configuration")
4c39d4b949("usb: xhci: use bus->sysdev for DMA configuration")
c6b8e79306("usb: host: xhci-plat: allow sysdev to inherit from ACPI")

They should all come together.

However, in linux-stable at linux-4.11.y branch, only 2 first above
patches are included. This causes the XHCI driver is fail to probe
with below kernel message:
[7.859145] xhci-hcd: probe of xhci-hcd.0.auto failed with error -5

This causes OSes such as CentOS 7.4 which uses kernel 4.11 have USB
XHCI driver fails to work.

-- 
Best regards,
Tung

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
for the sole use of the intended recipient(s) and contains information that 
is confidential and proprietary to Applied Micro Circuits Corporation or 
its subsidiaries. It is to be used solely for the purpose of furthering the 
parties' business relationship. All unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.
L3C: 8MB
   PEI114 ms
   DXE  20785 ms
   BDS  32047 ms
Total Time = 52947 ms

[0.00] Booting Linux on physical CPU 0x0
[0.00] Linux version 4.11.0 (tunguyen@hcmlab-sw7) (gcc version 6.0.0 
20150826 (experimental) (APM-9.0.7-le) ) #51 SMP PREEMPT Tue Oct 10 13:23:22 
ICT 2017
[0.00] Boot CPU: AArch64 Processor [501f]
[0.00] earlycon: uart8250 at MMIO32 0x1060 (options '')
[0.00] bootconsole [uart8250] enabled
[0.00] efi: Getting EFI parameters from FDT:
[0.00] efi: UEFI not found.
[0.00] cma: Reserved 16 MiB at 0x0040ff00
[0.00] NUMA: No NUMA configuration found
[0.00] NUMA: Faking a node at [mem 
0x-0x0041]
[0.00] NUMA: Adding memblock [0x40 - 0x41] on node 0
[0.00] NUMA: Initmem setup node 0 [mem 0x40-0x41]
[0.00] NUMA: NODE_DATA [mem 0x41fffd0f00-0x41fffd29ff]
[0.00] Zone ranges:
[0.00]   DMA  [mem 0x0040-0x0040]
[0.00]   Normal   [mem 0x0041-0x0041]
[0.00] Movable zone start for each node
[0.00] Early memory node ranges
[0.00]   node   0: [mem 0x0040-0x0041]
[0.00] Initmem setup node 0 [mem 0x0040-0x0041]
[0.00] On node 0 totalpages: 2097152
[0.00]   DMA zone: 16384 pages used for memmap
[0.00]   DMA zone: 0 pages reserved
[0.00]   DMA zone: 1048576 pages, LIFO batch:31
[0.00]   Normal zone: 16384 pages used for memmap
[0.00]   Normal zone: 1048576 pages, LIFO batch:31
[0.00] percpu: Embedded 23 pages/cpu @8001fff15000 s56960 r8192 
d29056 u94208
[0.00] pcpu-alloc: s56960 r8192 d29056 u94208 alloc=23*4096
[0.00] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 [0] 4 [0] 5 [0] 6 [0] 7 
[0.00] Detected PIPT I-cache on CPU0
[0.00] Built 1 zonelists in Node order, mobility grouping on.  Total 
pages: 2064384
[0.00] Policy zone: Normal
[0.00] Kernel command line: console=ttyS0,115200 
earlycon=uart8250,mmio32,0x1060 debug
[0.00] PID hash table entries: 4096 (order: 3, 32768 bytes)
[0.00] software IO TLB [mem 0x40fafff000-0x40fefff000] (64MB) mapped at 
[8000fafff000-8000feffefff]
[0.00] Memory: 8122152K/8388608K available (8892K kernel code, 964K 
rwdata, 3972K rodata, 1088K init, 396K bss, 250072K reserved, 16384K 
cma-reserved)
[0.00] Virtual kernel memory layout:
[0.00] modules : 0x - 0x0800   (   128 
MB)
[0.00] vmalloc : 0x0800 - 0x7dffbfff   (129022 
GB)
[0.00]   .text : 0x0808 - 0x0893   (  8896 
KB)
[0.00] .rodata : 0x0893 - 0x08d2   (  4032 
KB)
[0.00]   .init : 0x08d2 - 0x08e3   (  1088 
KB)
[0.00]   .data : 0x08e3 - 0x08f21200   (   965 
KB)
[0.00].bss : 0x08f21200 - 0x08f844b0   (   397 
KB)
[0.00] fixed   : 0x7dfffe7fd000 - 0x7dfffec0   (  4108 
KB)
[0.00] PCI I/O : 0x7dfffee0 - 0x7de0   (16 
MB)
[

Re: [PATCH v2] HID: usbhid: fix out-of-bounds bug

[Jaejoong Kim]

Hi,

To. Jiri, Alan,

Could you please review this patch?

To. Andey,

Could you please test with this patch for KASAN OOB error?

Thanks, jaejoong

2017-09-28 19:16 GMT+09:00 Jaejoong Kim :
> The hid descriptor identifies the length and type of subordinate
> descriptors for a device. If the received hid descriptor is smaller than
> the size of the struct hid_descriptor, it is possible to cause
> out-of-bounds.
>
> In addition, if bNumDescriptors of the hid descriptor have an incorrect
> value, this can also cause out-of-bounds while approaching hdesc->desc[n].
>
> So check the size of hid descriptor and bNumDescriptors.
>
> BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
> Read of size 1 at addr 88006c5f8edf by task kworker/1:2/1261
>
> CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
> 4.14.0-rc1-42251-gebb2c2437d80 #169
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
> 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:16
> dump_stack+0x292/0x395 lib/dump_stack.c:52
> print_address_description+0x78/0x280 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351
> kasan_report+0x22f/0x340 mm/kasan/report.c:409
> __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
> usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
> hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
> usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
> usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
> really_probe drivers/base/dd.c:413
> driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
> __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
> bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
> __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
> device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
> bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
> device_add+0xd0b/0x1660 drivers/base/core.c:1835
> usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
> generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
> usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
> really_probe drivers/base/dd.c:413
> driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
> __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
> bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
> __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
> device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
> bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
> device_add+0xd0b/0x1660 drivers/base/core.c:1835
> usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
> hub_port_connect drivers/usb/core/hub.c:4903
> hub_port_connect_change drivers/usb/core/hub.c:5009
> port_event drivers/usb/core/hub.c:5115
> hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
> process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
> worker_thread+0x221/0x1850 kernel/workqueue.c:2253
> kthread+0x3a1/0x470 kernel/kthread.c:231
> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>
> Reported-by: Andrey Konovalov 
> Signed-off-by: Jaejoong Kim 
> ---
>
> Changes in v2:
> - write a new commit message because orginal version is wrong approach
> - add check hid descriptor size
> - get proper value for bNumDescriptors as suggested by Alan Stern
> - fix the Reported-by
>
>  drivers/hid/usbhid/hid-core.c | 12 +++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> index 089bad8..045b5da 100644
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_device *hid)
> unsigned int rsize = 0;
> char *rdesc;
> int ret, n;
> +   int num_descriptors;
> +   size_t offset = offsetof(struct hid_descriptor, desc);
>
> quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
> le16_to_cpu(dev->descriptor.idProduct));
> @@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_device *hid)
> return -ENODEV;
> }
>
> +   if (hdesc->bLength < sizeof(struct hid_descriptor)) {
> +   dbg_hid("hid descriptor is too short\n");
> +   return -EINVAL;
> +   }
> +
> hid->version = le16_to_cpu(hdesc->bcdHID);
> hid->country = hdesc->bCountryCode;
>
> -   for (n = 0; n < hdesc->bNumDescriptors; n++)
> +   num_descriptors = min_t(int, hdesc->bNumDescriptors,
> +  (hdesc->bLength - offset) / sizeof(struct 
>