[PATCH 0/2] xhci fixes for usb-linus

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

Two small xhci fixes for usb-linus, both fix NULL pointer dereference issues.
Would be nice if they could still make 5.7 

Thanks
Mathias

Li Jun (1):
  usb: host: xhci-plat: keep runtime active when removing host

Sriharsha Allenki (1):
  usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb
    sg list

 drivers/usb/host/xhci-plat.c | 4 +++-
 drivers/usb/host/xhci-ring.c | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

-- 
2.17.1

[PATCH 1/2] usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list

[Mathias Nyman]

From: Sriharsha Allenki <sallenki@codeaurora.org>

On platforms with IOMMU enabled, multiple SGs can be coalesced into one
by the IOMMU driver. In that case the SG list processing as part of the
completion of a urb on a bulk endpoint can result into a NULL pointer
dereference with the below stack dump.

<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
<6> pgd = c0004000
<6> [0000000c] *pgd=00000000
<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
<2> PC is at xhci_queue_bulk_tx+0x454/0x80c
<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
<2> pc : [<c08907c4>]    lr : [<c08907bc>]    psr: 000000d3
<2> sp : ca337c80  ip : 00000000  fp : ffffffff
<2> r10: 00000000  r9 : 50037000  r8 : 00004000
<2> r7 : 00000000  r6 : 00004000  r5 : 00000000  r4 : 00000000
<2> r3 : 00000000  r2 : 00000082  r1 : c2c1a200  r0 : 00000000
<2> Flags: nzcv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment none
<2> Control: 10c0383d  Table: b412c06a  DAC: 00000051
<6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
<snip>
<2> [<c08907c4>] (xhci_queue_bulk_tx)
<2> [<c0881b3c>] (xhci_urb_enqueue)
<2> [<c0831068>] (usb_hcd_submit_urb)
<2> [<c08350b4>] (usb_sg_wait)
<2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
<2> [<c089f2c0>] (usb_stor_bulk_srb)
<2> [<c089fe38>] (usb_stor_Bulk_transport)
<2> [<c089f468>] (usb_stor_invoke_transport)
<2> [<c08a11b4>] (usb_stor_control_thread)
<2> [<c014a534>] (kthread)

The above NULL pointer dereference is the result of block_len and the
sent_len set to zero after the first SG of the list when IOMMU driver
is enabled. Because of this the loop of processing the SGs has run
more than num_sgs which resulted in a sg_next on the last SG of the
list which has SG_END set.

Fix this by check for the sg before any attributes of the sg are
accessed.

[modified reason for null pointer dereference in commit message subject -Mathias]
Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/host/xhci-ring.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 0fda0c0f4d31..2c255d0620b0 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3433,8 +3433,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
 			/* New sg entry */
 			--num_sgs;
 			sent_len -= block_len;
-			if (num_sgs != 0) {
-				sg = sg_next(sg);
+			sg = sg_next(sg);
+			if (num_sgs != 0 && sg) {
 				block_len = sg_dma_len(sg);
 				addr = (u64) sg_dma_address(sg);
 				addr += sent_len;
-- 
2.17.1

[PATCH 2/2] usb: host: xhci-plat: keep runtime active when removing host

[Mathias Nyman]

From: Li Jun <jun.li@nxp.com>

While removing the host (e.g. for USB role switch from host to device),
if runtime pm is enabled by user, below oops occurs on dwc3 and cdns3
platforms.
Keeping the xhci-plat device active during host removal, and disabling
runtime pm before calling pm_runtime_set_suspended() fixes them.

oops1:
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000240
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.4.3-00107-g64d454a-dirty
Hardware name: FSL i.MX8MP EVK (DT)
Workqueue: pm pm_runtime_work
pstate: 60000005 (nZCv daif -PAN -UAO)
pc : xhci_suspend+0x34/0x698
lr : xhci_plat_runtime_suspend+0x2c/0x38
sp : ffff800011ddbbc0
Call trace:
 xhci_suspend+0x34/0x698
 xhci_plat_runtime_suspend+0x2c/0x38
 pm_generic_runtime_suspend+0x28/0x40
 __rpm_callback+0xd8/0x138
 rpm_callback+0x24/0x98
 rpm_suspend+0xe0/0x448
 rpm_idle+0x124/0x140
 pm_runtime_work+0xa0/0xf8
 process_one_work+0x1dc/0x370
 worker_thread+0x48/0x468
 kthread+0xf0/0x120
 ret_from_fork+0x10/0x1c

oops2:
usb 2-1: USB disconnect, device number 2
xhci-hcd xhci-hcd.1.auto: remove, state 4
usb usb2: USB disconnect, device number 1
xhci-hcd xhci-hcd.1.auto: USB bus 2 deregistered
xhci-hcd xhci-hcd.1.auto: remove, state 4
usb usb1: USB disconnect, device number 1
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000138
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.6.0-rc4-next-20200304-03578
Hardware name: Freescale i.MX8QXP MEK (DT)
Workqueue: 1-0050 tcpm_state_machine_work
pstate: 20000005 (nzCv daif -PAN -UAO)
pc : xhci_free_dev+0x214/0x270
lr : xhci_plat_runtime_resume+0x78/0x88
sp : ffff80001006b5b0
Call trace:
 xhci_free_dev+0x214/0x270
 xhci_plat_runtime_resume+0x78/0x88
 pm_generic_runtime_resume+0x30/0x48
 __rpm_callback+0x90/0x148
 rpm_callback+0x28/0x88
 rpm_resume+0x568/0x758
 rpm_resume+0x260/0x758
 rpm_resume+0x260/0x758
 __pm_runtime_resume+0x40/0x88
 device_release_driver_internal+0xa0/0x1c8
 device_release_driver+0x1c/0x28
 bus_remove_device+0xd4/0x158
 device_del+0x15c/0x3a0
 usb_disable_device+0xb0/0x268
 usb_disconnect+0xcc/0x300
 usb_remove_hcd+0xf4/0x1dc
 xhci_plat_remove+0x78/0xe0
 platform_drv_remove+0x30/0x50
 device_release_driver_internal+0xfc/0x1c8
 device_release_driver+0x1c/0x28
 bus_remove_device+0xd4/0x158
 device_del+0x15c/0x3a0
 platform_device_del.part.0+0x20/0x90
 platform_device_unregister+0x28/0x40
 cdns3_host_exit+0x20/0x40
 cdns3_role_stop+0x60/0x90
 cdns3_role_set+0x64/0xd8
 usb_role_switch_set_role.part.0+0x3c/0x68
 usb_role_switch_set_role+0x20/0x30
 tcpm_mux_set+0x60/0xf8
 tcpm_reset_port+0xa4/0xf0
 tcpm_detach.part.0+0x28/0x50
 tcpm_state_machine_work+0x12ac/0x2360
 process_one_work+0x1c8/0x470
 worker_thread+0x50/0x428
 kthread+0xfc/0x128
 ret_from_fork+0x10/0x18
Code: c8037c02 35ffffa3 17ffe7c3 f9800011 (c85f7c01)
---[ end trace 45b1a173d2679e44 ]---

[minor commit message cleanup  -Mathias]
Cc: Baolin Wang <baolin.wang@linaro.org>
Cc: <stable@vger.kernel.org>
Fixes: b0c69b4bace3 ("usb: host: plat: Enable xHCI plat runtime PM")
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Tested-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Li Jun <jun.li@nxp.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/host/xhci-plat.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index 1d4f6f85f0fe..ea460b9682d5 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -362,6 +362,7 @@ static int xhci_plat_remove(struct platform_device *dev)
 	struct clk *reg_clk = xhci->reg_clk;
 	struct usb_hcd *shared_hcd = xhci->shared_hcd;
 
+	pm_runtime_get_sync(&dev->dev);
 	xhci->xhc_state |= XHCI_STATE_REMOVING;
 
 	usb_remove_hcd(shared_hcd);
@@ -375,8 +376,9 @@ static int xhci_plat_remove(struct platform_device *dev)
 	clk_disable_unprepare(reg_clk);
 	usb_put_hcd(hcd);
 
-	pm_runtime_set_suspended(&dev->dev);
 	pm_runtime_disable(&dev->dev);
+	pm_runtime_put_noidle(&dev->dev);
+	pm_runtime_set_suspended(&dev->dev);
 
 	return 0;
 }
-- 
2.17.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple xhci fixes for 6.9 rc
The null pointer dereferece fix solves a regression in 6.9-rc1,
so no need to add it to stable

Thanks
-Mathias

Mathias Nyman (1):
  xhci: Fix root hub port null pointer dereference in xhci tracepoints

Oliver Neukum (1):
  usb: xhci: correct return value in case of STS_HCE

 drivers/usb/host/xhci-ring.c  |  9 ++++-----
 drivers/usb/host/xhci-trace.h | 12 +++++-------
 2 files changed, 9 insertions(+), 12 deletions(-)

-- 
2.25.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple xhci fixes for 6.4
Fixing a S3 resume issue on AMD hosts, and a flaw in calculating free TRBs
in ring buffer which may cause xhci to hog extra memory.

Thanks
Mathias

Mario Limonciello (1):
  xhci-pci: Only run d3cold avoidance quirk for s2idle

Mathias Nyman (1):
  xhci: Fix incorrect tracking of free space on transfer rings

 drivers/usb/host/xhci-pci.c  | 12 ++++++++++--
 drivers/usb/host/xhci-ring.c | 29 ++++++++++++++++++++++++++++-
 drivers/usb/host/xhci.h      |  2 +-
 3 files changed, 39 insertions(+), 4 deletions(-)

-- 
2.25.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple small xhci fixes for usb-linus

Add Host controller error (HCE) to the list of reasons to reset the host
during resume.
Also make sure we don't change the error value returned if URB submission
fails.

Thanks
-Mathias


Hongyu Xie (1):
  xhci: Prevent futile URB re-submissions due to incorrect return value.

Puma Hsu (1):
  xhci: re-initialize the HC during resume if HCE was set

 drivers/usb/host/xhci.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

-- 
2.25.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple xhci patches for usb-linus that solves two suspend/resume related issues.

Thanks
-Mathias

Kai-Heng Feng (1):
  xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime
    suspending

Mathias Nyman (1):
  xhci: avoid race between disable slot command and host runtime suspend

 drivers/usb/host/xhci-hub.c  |  1 +
 drivers/usb/host/xhci-ring.c |  1 -
 drivers/usb/host/xhci.c      | 26 +++++++++++++++-----------
 3 files changed, 16 insertions(+), 12 deletions(-)

-- 
2.25.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

two patches for usb-linus and 5.12 stable
xhci changes in 5.12 caused a regression in stall handling.
Due to this some usb card readers failed to work with 5.12

These two patches fix that regression.

Thanks
-Mathias

Mathias Nyman (2):
  xhci: fix giving back URB with incorrect status regression in 5.12
  xhci: Fix 5.12 regression of missing xHC cache clearing command after
    a Stall

 drivers/usb/host/xhci-ring.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

-- 
2.25.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple fixes for usb-linus.
Fixes one "xHCI died" case found when stress testing URB cancel on
several devices at once, and one timing issue on Tegra xhci

JC Kuo (1):
  xhci: tegra: Delay for disabling LFPS detector

Mathias Nyman (1):
  xhci: make sure TRB is fully written before giving it to the
    controller

 drivers/usb/host/xhci-ring.c  | 2 ++
 drivers/usb/host/xhci-tegra.c | 7 +++++++
 2 files changed, 9 insertions(+)

-- 
2.25.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple minor xhci fixes for usb-linus, fixing xhci trace events and
adding a quirk flag for a AMD xhci host.

-Mathias

Alberto Mattea (1):
  usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c

Steven Rostedt (VMware) (1):
  xhci: Do not open code __print_symbolic() in xhci trace events

 drivers/usb/host/xhci-pci.c   |  3 ++-
 drivers/usb/host/xhci-trace.h | 23 ++++++-----------------
 2 files changed, 8 insertions(+), 18 deletions(-)

-- 
2.17.1

[PATCH 0/2] xhci fixes for usb-linus

[Mathias Nyman]

Hi Greg

A couple of fixes for usb-linus, one to detect usb 3.2 xhci hosts,
another to resolve a rare host hang at resume issue.

-Mathias

Mathias Nyman (2):
  usb: xhci: Don't try to recover an endpoint if port is in error state.
  xhci: detect USB 3.2 capable host controllers correctly

 drivers/usb/host/xhci-ring.c | 15 ++++++++++++++-
 drivers/usb/host/xhci.c      | 25 ++++++++++++++++++++-----
 drivers/usb/host/xhci.h      |  9 +++++++++
 3 files changed, 43 insertions(+), 6 deletions(-)

-- 
2.7.4