--- /dev/null
+From 2d30e9494f1ea320aaaad0cff9ddd92c87eac355 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 18 Feb 2018 23:01:44 +0100
+Subject: ASoC: rt5651: Fix regcache sync errors on resume
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2d30e9494f1ea320aaaad0cff9ddd92c87eac355 upstream.
+
+The ALC5651 does not like multi-write accesses, avoid them. This fixes:
+
+rt5651 i2c-10EC5651:00: Unable to sync registers 0x27-0x28. -121
+
+Errors on resume (and all registers after the registers in the error not
+being synced).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/rt5651.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/codecs/rt5651.c
++++ b/sound/soc/codecs/rt5651.c
+@@ -1736,6 +1736,7 @@ static const struct regmap_config rt5651
+ .num_reg_defaults = ARRAY_SIZE(rt5651_reg),
+ .ranges = rt5651_ranges,
+ .num_ranges = ARRAY_SIZE(rt5651_ranges),
++ .use_single_rw = true,
+ };
+
+ #if defined(CONFIG_OF)
--- /dev/null
+From a8992973edbb2555e956b90f6fe97c4bc14d761d Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Fri, 16 Feb 2018 11:58:54 -0200
+Subject: ASoC: sgtl5000: Fix suspend/resume
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit a8992973edbb2555e956b90f6fe97c4bc14d761d upstream.
+
+Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in
+SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume
+sequence:
+
+Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little
+Endian, Rate 44100 Hz, Stereo
+aplay: pcm_write:2051: write error: Input/output error
+
+The problem is caused by the fact that the aforementioned commit
+dropped the cache handling, so re-introduce the register map
+resync to fix the problem.
+
+Suggested-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/sgtl5000.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -774,15 +774,26 @@ static int sgtl5000_pcm_hw_params(struct
+ static int sgtl5000_set_bias_level(struct snd_soc_codec *codec,
+ enum snd_soc_bias_level level)
+ {
++ struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec);
++ int ret;
++
+ switch (level) {
+ case SND_SOC_BIAS_ON:
+ case SND_SOC_BIAS_PREPARE:
+ case SND_SOC_BIAS_STANDBY:
++ regcache_cache_only(sgtl->regmap, false);
++ ret = regcache_sync(sgtl->regmap);
++ if (ret) {
++ regcache_cache_only(sgtl->regmap, true);
++ return ret;
++ }
++
+ snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
+ SGTL5000_REFTOP_POWERUP,
+ SGTL5000_REFTOP_POWERUP);
+ break;
+ case SND_SOC_BIAS_OFF:
++ regcache_cache_only(sgtl->regmap, true);
+ snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
+ SGTL5000_REFTOP_POWERUP, 0);
+ break;
--- /dev/null
+From 1f66dd36bb18437397ea0d7882c52f7e3c476e15 Mon Sep 17 00:00:00 2001
+From: Greentime Hu <green.hu@gmail.com>
+Date: Tue, 13 Feb 2018 17:09:08 +0800
+Subject: earlycon: add reg-offset to physical address before mapping
+
+From: Greentime Hu <green.hu@gmail.com>
+
+commit 1f66dd36bb18437397ea0d7882c52f7e3c476e15 upstream.
+
+It will get the wrong virtual address because port->mapbase is not added
+the correct reg-offset yet. We have to update it before earlycon_map()
+is called
+
+Signed-off-by: Greentime Hu <greentime@andestech.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: stable@vger.kernel.org
+Fixes: 088da2a17619 ("of: earlycon: Initialize port fields from DT properties")
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/earlycon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/earlycon.c
++++ b/drivers/tty/serial/earlycon.c
+@@ -253,11 +253,12 @@ int __init of_setup_earlycon(const struc
+ }
+ port->mapbase = addr;
+ port->uartclk = BASE_BAUD * 16;
+- port->membase = earlycon_map(port->mapbase, SZ_4K);
+
+ val = of_get_flat_dt_prop(node, "reg-offset", NULL);
+ if (val)
+ port->mapbase += be32_to_cpu(*val);
++ port->membase = earlycon_map(port->mapbase, SZ_4K);
++
+ val = of_get_flat_dt_prop(node, "reg-shift", NULL);
+ if (val)
+ port->regshift = be32_to_cpu(*val);
--- /dev/null
+From fc110ebdd014dd1368c98e7685b47789c31fab42 Mon Sep 17 00:00:00 2001
+From: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Date: Wed, 7 Mar 2018 10:46:39 -0600
+Subject: PCI: dwc: Fix enumeration end when reaching root subordinate
+
+From: Koen Vandeputte <koen.vandeputte@ncentric.com>
+
+commit fc110ebdd014dd1368c98e7685b47789c31fab42 upstream.
+
+The subordinate value indicates the highest bus number which can be
+reached downstream though a certain device.
+
+Commit a20c7f36bd3d ("PCI: Do not allocate more buses than available in
+parent") ensures that downstream devices cannot assign busnumbers higher
+than the upstream device subordinate number, which was indeed illogical.
+
+By default, dw_pcie_setup_rc() inits the Root Complex subordinate to a
+value of 0x01.
+
+Due to this combined with above commit, enumeration stops digging deeper
+downstream as soon as bus num 0x01 has been assigned, which is always the
+case for a bridge device.
+
+This results in all devices behind a bridge bus remaining undetected, as
+these would be connected to bus 0x02 or higher.
+
+Fix this by initializing the RC to a subordinate value of 0xff, which is
+not altering hardware behaviour in any way, but informs probing function
+pci_scan_bridge() later on which reads this value back from register.
+
+The following nasty errors during boot are also fixed by this:
+
+ pci_bus 0000:02: busn_res: can not insert [bus 02-ff] under [bus 01] (conflicts with (null) [bus 01])
+ ...
+ pci_bus 0000:03: [bus 03] partially hidden behind bridge 0000:01 [bus 01]
+ ...
+ pci_bus 0000:04: [bus 04] partially hidden behind bridge 0000:01 [bus 01]
+ ...
+ pci_bus 0000:05: [bus 05] partially hidden behind bridge 0000:01 [bus 01]
+ pci_bus 0000:02: busn_res: [bus 02-ff] end is updated to 05
+ pci_bus 0000:02: busn_res: can not insert [bus 02-05] under [bus 01] (conflicts with (null) [bus 01])
+ pci_bus 0000:02: [bus 02-05] partially hidden behind bridge 0000:01 [bus 01]
+
+Fixes: a20c7f36bd3d ("PCI: Do not allocate more buses than available in
+parent")
+Tested-by: Niklas Cassel <niklas.cassel@axis.com>
+Tested-by: Fabio Estevam <fabio.estevam@nxp.com>
+Tested-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Lucas Stach <l.stach@pengutronix.de>
+Cc: stable@vger.kernel.org # v4.15+
+Cc: Binghui Wang <wangbinghui@hisilicon.com>
+Cc: Jesper Nilsson <jesper.nilsson@axis.com>
+Cc: Jianguo Sun <sunjianguo1@huawei.com>
+Cc: Jingoo Han <jingoohan1@gmail.com>
+Cc: Kishon Vijay Abraham I <kishon@ti.com>
+Cc: Lucas Stach <l.stach@pengutronix.de>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Minghuan Lian <minghuan.Lian@freescale.com>
+Cc: Mingkai Hu <mingkai.hu@freescale.com>
+Cc: Murali Karicheri <m-karicheri2@ti.com>
+Cc: Pratyush Anand <pratyush.anand@gmail.com>
+Cc: Richard Zhu <hongxing.zhu@nxp.com>
+Cc: Roy Zang <tie-fei.zang@freescale.com>
+Cc: Shawn Guo <shawn.guo@linaro.org>
+Cc: Stanimir Varbanov <svarbanov@mm-sol.com>
+Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Cc: Xiaowei Song <songxiaowei@hisilicon.com>
+Cc: Zhou Wang <wangzhou1@hisilicon.com>
+[fabio: adapted to the file location of 4.9 kernel]
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pcie-designware.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/host/pcie-designware.c
++++ b/drivers/pci/host/pcie-designware.c
+@@ -861,7 +861,7 @@ void dw_pcie_setup_rc(struct pcie_port *
+ /* setup bus numbers */
+ val = dw_pcie_readl_rc(pp, PCI_PRIMARY_BUS);
+ val &= 0xff000000;
+- val |= 0x00010100;
++ val |= 0x00ff0100;
+ dw_pcie_writel_rc(pp, PCI_PRIMARY_BUS, val);
+
+ /* setup command register */
--- /dev/null
+From 9f2068f35729948bde84d87a40d135015911345d Mon Sep 17 00:00:00 2001
+From: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Date: Tue, 13 Feb 2018 15:04:46 +0100
+Subject: serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
+
+From: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+
+commit 9f2068f35729948bde84d87a40d135015911345d upstream.
+
+Add PCI ids for two variants of Brainboxes UC-260 quad port
+PCI serial cards.
+
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -5100,6 +5100,17 @@ static struct pci_device_id serial_pci_t
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */
+ pbn_b2_4_115200 },
+ /*
++ * BrainBoxes UC-260
++ */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0D21,
++ PCI_ANY_ID, PCI_ANY_ID,
++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
++ pbn_b2_4_115200 },
++ { PCI_VENDOR_ID_INTASHIELD, 0x0E34,
++ PCI_ANY_ID, PCI_ANY_ID,
++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
++ pbn_b2_4_115200 },
++ /*
+ * Perle PCI-RAS cards
+ */
+ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030,
--- /dev/null
+From 714569064adee3c114a2a6490735b94abe269068 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Sat, 3 Feb 2018 12:27:23 +0100
+Subject: serial: core: mark port as initialized in autoconfig
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 714569064adee3c114a2a6490735b94abe269068 upstream.
+
+This is a followup on 44117a1d1732 ("serial: core: mark port as
+initialized after successful IRQ change").
+Nikola has been using autoconfig via setserial and reported a crash
+similar to what I fixed in the earlier mentioned commit. Here I do the
+same fixup for the autoconfig. I wasn't sure that this is the right
+approach. Nikola confirmed that it fixes his crash.
+
+Fixes: b3b576461864 ("tty: serial_core: convert uart_open to use tty_port_open")
+Link: http://lkml.kernel.org/r/20180131072000.GD1853@localhost.localdomain
+Reported-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Tested-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Acked-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/serial_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -1135,6 +1135,8 @@ static int uart_do_autoconfig(struct tty
+ uport->ops->config_port(uport, flags);
+
+ ret = uart_startup(tty, state, 1);
++ if (ret == 0)
++ tty_port_set_initialized(port, true);
+ if (ret > 0)
+ ret = 0;
+ }
--- /dev/null
+From 7842055bfce4bf0170d0f61df8b2add8399697be Mon Sep 17 00:00:00 2001
+From: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+Date: Thu, 15 Feb 2018 13:02:27 +0100
+Subject: serial: sh-sci: prevent lockup on full TTY buffers
+
+From: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+
+commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream.
+
+When the TTY buffers fill up to the configured maximum, a system lockup
+occurs:
+
+[ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks:
+[ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1
+[ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126)
+[ 598.838755] Task dump for CPU 0:
+[ 598.841977] swapper/0 R running task 0 0 0 0x00000022
+[ 598.849023] Call trace:
+[ 598.851476] __switch_to+0x98/0xb0
+[ 598.854870] (null)
+
+This can be prevented by doing a dummy read of the RX data register.
+
+This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0;
+reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms
+as well.
+
+Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -935,6 +935,8 @@ static void sci_receive_chars(struct uar
+ /* Tell the rest of the system the news. New characters! */
+ tty_flip_buffer_push(tport);
+ } else {
++ /* TTY buffers full; read from RX reg to prevent lockup */
++ serial_port_in(port, SCxRDR);
+ serial_port_in(port, SCxSR); /* dummy read */
+ sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port));
+ }
nfs-fix-unstable-write-completion.patch
x86-module-detect-and-skip-invalid-relocations.patch
x86-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch
+asoc-sgtl5000-fix-suspend-resume.patch
+asoc-rt5651-fix-regcache-sync-errors-on-resume.patch
+serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch
+tty-serial-atmel-add-new-version-check-for-usart.patch
+uas-fix-comparison-for-error-code.patch
+staging-comedi-fix-comedi_nsamples_left.patch
+staging-android-ashmem-fix-lockdep-issue-during-llseek.patch
+usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch
+usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch
+usb-quirks-add-control-message-delay-for-1b1c-1b20.patch
+usb-usbmon-read-text-within-supplied-buffer-size.patch
+usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch
+serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch
+serial-core-mark-port-as-initialized-in-autoconfig.patch
+earlycon-add-reg-offset-to-physical-address-before-mapping.patch
+pci-dwc-fix-enumeration-end-when-reaching-root-subordinate.patch
--- /dev/null
+From cb57469c9573f6018cd1302953dd45d6e05aba7b Mon Sep 17 00:00:00 2001
+From: Joel Fernandes <joelaf@google.com>
+Date: Fri, 16 Feb 2018 11:02:01 -0800
+Subject: staging: android: ashmem: Fix lockdep issue during llseek
+
+From: Joel Fernandes <joelaf@google.com>
+
+commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.
+
+ashmem_mutex create a chain of dependencies like so:
+
+(1)
+mmap syscall ->
+ mmap_sem -> (acquired)
+ ashmem_mmap
+ ashmem_mutex (try to acquire)
+ (block)
+
+(2)
+llseek syscall ->
+ ashmem_llseek ->
+ ashmem_mutex -> (acquired)
+ inode_lock ->
+ inode->i_rwsem (try to acquire)
+ (block)
+
+(3)
+getdents ->
+ iterate_dir ->
+ inode_lock ->
+ inode->i_rwsem (acquired)
+ copy_to_user ->
+ mmap_sem (try to acquire)
+
+There is a lock ordering created between mmap_sem and inode->i_rwsem
+causing a lockdep splat [2] during a syzcaller test, this patch fixes
+the issue by unlocking the mutex earlier. Functionally that's Ok since
+we don't need to protect vfs_llseek.
+
+[1] https://patchwork.kernel.org/patch/10185031/
+[2] https://lkml.org/lkml/2018/1/10/48
+
+Acked-by: Todd Kjos <tkjos@google.com>
+Cc: Arve Hjonnevag <arve@android.com>
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
+Signed-off-by: Joel Fernandes <joelaf@google.com>
+Acked-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -343,24 +343,23 @@ static loff_t ashmem_llseek(struct file
+ mutex_lock(&ashmem_mutex);
+
+ if (asma->size == 0) {
+- ret = -EINVAL;
+- goto out;
++ mutex_unlock(&ashmem_mutex);
++ return -EINVAL;
+ }
+
+ if (!asma->file) {
+- ret = -EBADF;
+- goto out;
++ mutex_unlock(&ashmem_mutex);
++ return -EBADF;
+ }
+
++ mutex_unlock(&ashmem_mutex);
++
+ ret = vfs_llseek(asma->file, offset, origin);
+ if (ret < 0)
+- goto out;
++ return ret;
+
+ /** Copy f_pos from backing file, since f_ops->llseek() sets it */
+ file->f_pos = asma->file->f_pos;
+-
+-out:
+- mutex_unlock(&ashmem_mutex);
+ return ret;
+ }
+
--- /dev/null
+From a42ae5905140c324362fe5036ae1dbb16e4d359c Mon Sep 17 00:00:00 2001
+From: Frank Mori Hess <fmh6jj@gmail.com>
+Date: Thu, 15 Feb 2018 15:13:42 -0500
+Subject: staging: comedi: fix comedi_nsamples_left.
+
+From: Frank Mori Hess <fmh6jj@gmail.com>
+
+commit a42ae5905140c324362fe5036ae1dbb16e4d359c upstream.
+
+A rounding error was causing comedi_nsamples_left to
+return the wrong value when nsamples was not a multiple
+of the scan length.
+
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Frank Mori Hess <fmh6jj@gmail.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/staging/comedi/drivers.c
++++ b/drivers/staging/comedi/drivers.c
+@@ -484,8 +484,7 @@ unsigned int comedi_nsamples_left(struct
+ struct comedi_cmd *cmd = &async->cmd;
+
+ if (cmd->stop_src == TRIG_COUNT) {
+- unsigned int nscans = nsamples / cmd->scan_end_arg;
+- unsigned int scans_left = __comedi_nscans_left(s, nscans);
++ unsigned int scans_left = __comedi_nscans_left(s, cmd->stop_arg);
+ unsigned int scan_pos =
+ comedi_bytes_to_samples(s, async->scan_progress);
+ unsigned long long samples_left = 0;
--- /dev/null
+From fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 Mon Sep 17 00:00:00 2001
+From: Jonas Danielsson <jonas@orbital-systems.com>
+Date: Mon, 29 Jan 2018 12:39:15 +0100
+Subject: tty/serial: atmel: add new version check for usart
+
+From: Jonas Danielsson <jonas@orbital-systems.com>
+
+commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream.
+
+On our at91sam9260 based board the usart0 and usart1 ports report
+their versions (ATMEL_US_VERSION) as 0x10302. This version is not
+included in the current checks in the driver.
+
+Signed-off-by: Jonas Danielsson <jonas@orbital-systems.com>
+Acked-by: Richard Genoud <richard.genoud@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1780,6 +1780,7 @@ static void atmel_get_ip_name(struct uar
+ switch (version) {
+ case 0x302:
+ case 0x10213:
++ case 0x10302:
+ dev_dbg(port->dev, "This version is usart\n");
+ atmel_port->has_frac_baudrate = true;
+ atmel_port->has_hw_timer = true;
--- /dev/null
+From 9a513c905bb95bef79d96feb08621c1ec8d8c4bb Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 6 Mar 2018 15:04:24 +0100
+Subject: uas: fix comparison for error code
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream.
+
+A typo broke the comparison.
+
+Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+CC: stable@kernel.org
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/uas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -1076,7 +1076,7 @@ static int uas_post_reset(struct usb_int
+ return 0;
+
+ err = uas_configure_endpoints(devinfo);
+- if (err && err != ENODEV)
++ if (err && err != -ENODEV)
+ shost_printk(KERN_ERR, shost,
+ "%s: alloc streams error %d after reset",
+ __func__, err);
--- /dev/null
+From 1a087f032111a88e826877449dfb93ceb22b78b9 Mon Sep 17 00:00:00 2001
+From: Xinyong <xinyong.fang@linux.alibaba.com>
+Date: Fri, 2 Mar 2018 19:20:07 +0800
+Subject: usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
+
+From: Xinyong <xinyong.fang@linux.alibaba.com>
+
+commit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream.
+
+When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
+overflowed, While functionfs is unmounting, ffs_data is put twice.
+
+Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
+refcount_t") can avoid refcount overflow, but that is risk some situations.
+So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.
+
+The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
+KASAN enabled configuration reports use-after-free errro.
+
+BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
+Read of size 4 by task umount/4650
+====================================================
+BUG kmalloc-512 (Tainted: P W O ): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
+ alloc_debug_processing+0x1ac/0x1e8
+ ___slab_alloc.constprop.63+0x640/0x648
+ __slab_alloc.isra.57.constprop.62+0x24/0x34
+ kmem_cache_alloc_trace+0x1a8/0x2bc
+ ffs_fs_mount+0x194/0x844
+ mount_fs+0x6c/0x1d0
+ vfs_kern_mount+0x50/0x1b4
+ do_mount+0x258/0x1034
+INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
+ free_debug_processing+0x22c/0x434
+ __slab_free+0x2d8/0x3a0
+ kfree+0x254/0x264
+ ffs_data_put+0x25c/0x320
+ ffs_data_closed+0x124/0x15c
+ ffs_fs_kill_sb+0xb8/0x110
+ deactivate_locked_super+0x6c/0x98
+ deactivate_super+0xb0/0xbc
+INFO: Object 0xffffffc057938600 @offset=1536 fp=0x (null)
+......
+Call trace:
+[<ffffff900808cf5c>] dump_backtrace+0x0/0x250
+[<ffffff900808d3a0>] show_stack+0x14/0x1c
+[<ffffff90084a8c04>] dump_stack+0xa0/0xc8
+[<ffffff900826c2b4>] print_trailer+0x158/0x260
+[<ffffff900826d9d8>] object_err+0x3c/0x40
+[<ffffff90082745f0>] kasan_report_error+0x2a8/0x754
+[<ffffff9008274f84>] kasan_report+0x5c/0x60
+[<ffffff9008273208>] __asan_load4+0x70/0x88
+[<ffffff90084cd81c>] refcount_dec_and_test+0x14/0xe0
+[<ffffff9008d98f9c>] ffs_data_put+0x80/0x320
+[<ffffff9008d9d904>] ffs_fs_kill_sb+0xc8/0x110
+[<ffffff90082852a0>] deactivate_locked_super+0x6c/0x98
+[<ffffff900828537c>] deactivate_super+0xb0/0xbc
+[<ffffff90082af0c0>] cleanup_mnt+0x64/0xec
+[<ffffff90082af1b0>] __cleanup_mnt+0x10/0x18
+[<ffffff90080d9e68>] task_work_run+0xcc/0x124
+[<ffffff900808c8c0>] do_notify_resume+0x60/0x70
+[<ffffff90080866e4>] work_pending+0x10/0x14
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Xinyong <xinyong.fang@linux.alibaba.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1522,7 +1522,6 @@ ffs_fs_kill_sb(struct super_block *sb)
+ if (sb->s_fs_info) {
+ ffs_release_dev(sb->s_fs_info);
+ ffs_data_closed(sb->s_fs_info);
+- ffs_data_put(sb->s_fs_info);
+ }
+ }
+
--- /dev/null
+From cb88a0588717ba6c756cb5972d75766b273a6817 Mon Sep 17 00:00:00 2001
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Date: Tue, 6 Mar 2018 09:38:49 +0100
+Subject: usb: quirks: add control message delay for 1b1c:1b20
+
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+
+commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream.
+
+Corsair Strafe RGB keyboard does not respond to usb control messages
+sometimes and hence generates timeouts.
+
+Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair
+Strafe RGB keyboard") tried to fix those timeouts by adding
+USB_QUIRK_DELAY_INIT.
+
+Unfortunately, even with this quirk timeouts of usb_control_msg()
+can still be seen, but with a lower frequency (approx. 1 out of 15):
+
+[ 29.103520] usb 1-8: string descriptor 0 read error: -110
+[ 34.363097] usb 1-8: can't set config #1, error -110
+
+Adding further delays to different locations where usb control
+messages are issued just moves the timeouts to other locations,
+e.g.:
+
+[ 35.400533] usbhid 1-8:1.0: can't add hid device: -110
+[ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110
+
+The only way to reliably avoid those issues is having a pause after
+each usb control message. In approx. 200 boot cycles no more timeouts
+were seen.
+
+Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary
+to have the delay in hub_port_connect() after hub_port_init().
+
+The overall boot time seems not to be influenced by these additional
+delays, even on fast machines and lightweight distributions.
+
+Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard")
+Cc: stable@vger.kernel.org
+Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/message.c | 4 ++++
+ drivers/usb/core/quirks.c | 3 ++-
+ include/linux/usb/quirks.h | 3 +++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -148,6 +148,10 @@ int usb_control_msg(struct usb_device *d
+
+ ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
+
++ /* Linger a bit, prior to the next control message. */
++ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
++ msleep(200);
++
+ kfree(dr);
+
+ return ret;
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+
+ /* Corsair Strafe RGB */
+- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
++ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
++ USB_QUIRK_DELAY_CTRL_MSG },
+
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -56,4 +56,7 @@
+ */
+ #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
+
++/* Device needs a pause after every control message. */
++#define USB_QUIRK_DELAY_CTRL_MSG BIT(13)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
--- /dev/null
+From 5126a504b63d82785eaece3a9c30c660b313785a Mon Sep 17 00:00:00 2001
+From: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
+Date: Thu, 1 Mar 2018 19:34:29 +0200
+Subject: USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
+
+From: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
+
+commit 5126a504b63d82785eaece3a9c30c660b313785a upstream.
+
+This USB-SATA controller seems to be similar with JMicron bridge
+152d:2566 already on the list. Adding it here fixes "Invalid
+field in cdb" errors.
+
+Signed-off-by: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
+Cc: stable@vger.kernel.org
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2137,6 +2137,13 @@ UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_BROKEN_FUA ),
+
++/* Reported by Teijo Kinnunen <teijo.kinnunen@code-q.fi> */
++UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117,
++ "JMicron",
++ "USB to ATA/ATAPI Bridge",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA ),
++
+ /* Reported-by George Cherian <george.cherian@cavium.com> */
+ UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
+ "JMicron",
--- /dev/null
+From a5f596830e27e15f7a0ecd6be55e433d776986d8 Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@kotori.zaitcev.us>
+Date: Fri, 9 Mar 2018 00:21:14 -0600
+Subject: usb: usbmon: Read text within supplied buffer size
+
+From: Pete Zaitcev <zaitcev@kotori.zaitcev.us>
+
+commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.
+
+This change fixes buffer overflows and silent data corruption with the
+usbmon device driver text file read operations.
+
+Signed-off-by: Fredrik Noring <noring@nocrew.org>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_text.c | 124 +++++++++++++++++++++++++++------------------
+ 1 file changed, 77 insertions(+), 47 deletions(-)
+
+--- a/drivers/usb/mon/mon_text.c
++++ b/drivers/usb/mon/mon_text.c
+@@ -83,6 +83,8 @@ struct mon_reader_text {
+
+ wait_queue_head_t wait;
+ int printf_size;
++ size_t printf_offset;
++ size_t printf_togo;
+ char *printf_buf;
+ struct mutex printf_lock;
+
+@@ -374,75 +376,103 @@ err_alloc:
+ return rc;
+ }
+
+-/*
+- * For simplicity, we read one record in one system call and throw out
+- * what does not fit. This means that the following does not work:
+- * dd if=/dbg/usbmon/0t bs=10
+- * Also, we do not allow seeks and do not bother advancing the offset.
+- */
++static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
++ char __user * const buf, const size_t nbytes)
++{
++ const size_t togo = min(nbytes, rp->printf_togo);
++
++ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo))
++ return -EFAULT;
++ rp->printf_togo -= togo;
++ rp->printf_offset += togo;
++ return togo;
++}
++
++/* ppos is not advanced since the llseek operation is not permitted. */
+ static ssize_t mon_text_read_t(struct file *file, char __user *buf,
+- size_t nbytes, loff_t *ppos)
++ size_t nbytes, loff_t *ppos)
+ {
+ struct mon_reader_text *rp = file->private_data;
+ struct mon_event_text *ep;
+ struct mon_text_ptr ptr;
++ ssize_t ret;
+
+- ep = mon_text_read_wait(rp, file);
+- if (IS_ERR(ep))
+- return PTR_ERR(ep);
+ mutex_lock(&rp->printf_lock);
+- ptr.cnt = 0;
+- ptr.pbuf = rp->printf_buf;
+- ptr.limit = rp->printf_size;
+-
+- mon_text_read_head_t(rp, &ptr, ep);
+- mon_text_read_statset(rp, &ptr, ep);
+- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+- " %d", ep->length);
+- mon_text_read_data(rp, &ptr, ep);
+
+- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
+- ptr.cnt = -EFAULT;
++ if (rp->printf_togo == 0) {
++
++ ep = mon_text_read_wait(rp, file);
++ if (IS_ERR(ep)) {
++ mutex_unlock(&rp->printf_lock);
++ return PTR_ERR(ep);
++ }
++ ptr.cnt = 0;
++ ptr.pbuf = rp->printf_buf;
++ ptr.limit = rp->printf_size;
++
++ mon_text_read_head_t(rp, &ptr, ep);
++ mon_text_read_statset(rp, &ptr, ep);
++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
++ " %d", ep->length);
++ mon_text_read_data(rp, &ptr, ep);
++
++ rp->printf_togo = ptr.cnt;
++ rp->printf_offset = 0;
++
++ kmem_cache_free(rp->e_slab, ep);
++ }
++
++ ret = mon_text_copy_to_user(rp, buf, nbytes);
+ mutex_unlock(&rp->printf_lock);
+- kmem_cache_free(rp->e_slab, ep);
+- return ptr.cnt;
++ return ret;
+ }
+
++/* ppos is not advanced since the llseek operation is not permitted. */
+ static ssize_t mon_text_read_u(struct file *file, char __user *buf,
+- size_t nbytes, loff_t *ppos)
++ size_t nbytes, loff_t *ppos)
+ {
+ struct mon_reader_text *rp = file->private_data;
+ struct mon_event_text *ep;
+ struct mon_text_ptr ptr;
++ ssize_t ret;
+
+- ep = mon_text_read_wait(rp, file);
+- if (IS_ERR(ep))
+- return PTR_ERR(ep);
+ mutex_lock(&rp->printf_lock);
+- ptr.cnt = 0;
+- ptr.pbuf = rp->printf_buf;
+- ptr.limit = rp->printf_size;
+
+- mon_text_read_head_u(rp, &ptr, ep);
+- if (ep->type == 'E') {
+- mon_text_read_statset(rp, &ptr, ep);
+- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
+- mon_text_read_isostat(rp, &ptr, ep);
+- mon_text_read_isodesc(rp, &ptr, ep);
+- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
+- mon_text_read_intstat(rp, &ptr, ep);
+- } else {
+- mon_text_read_statset(rp, &ptr, ep);
++ if (rp->printf_togo == 0) {
++
++ ep = mon_text_read_wait(rp, file);
++ if (IS_ERR(ep)) {
++ mutex_unlock(&rp->printf_lock);
++ return PTR_ERR(ep);
++ }
++ ptr.cnt = 0;
++ ptr.pbuf = rp->printf_buf;
++ ptr.limit = rp->printf_size;
++
++ mon_text_read_head_u(rp, &ptr, ep);
++ if (ep->type == 'E') {
++ mon_text_read_statset(rp, &ptr, ep);
++ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
++ mon_text_read_isostat(rp, &ptr, ep);
++ mon_text_read_isodesc(rp, &ptr, ep);
++ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
++ mon_text_read_intstat(rp, &ptr, ep);
++ } else {
++ mon_text_read_statset(rp, &ptr, ep);
++ }
++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
++ " %d", ep->length);
++ mon_text_read_data(rp, &ptr, ep);
++
++ rp->printf_togo = ptr.cnt;
++ rp->printf_offset = 0;
++
++ kmem_cache_free(rp->e_slab, ep);
+ }
+- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+- " %d", ep->length);
+- mon_text_read_data(rp, &ptr, ep);
+
+- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
+- ptr.cnt = -EFAULT;
++ ret = mon_text_copy_to_user(rp, buf, nbytes);
+ mutex_unlock(&rp->printf_lock);
+- kmem_cache_free(rp->e_slab, ep);
+- return ptr.cnt;
++ return ret;
+ }
+
+ static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp,
--- /dev/null
+From df3334c223a033f562645712e832ca4cbb326bbf Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Feb 2018 17:39:17 +0000
+Subject: usbip: vudc: fix null pointer dereference on udc->lock
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit df3334c223a033f562645712e832ca4cbb326bbf upstream.
+
+Currently the driver attempts to spin lock on udc->lock before a NULL
+pointer check is performed on udc, hence there is a potential null
+pointer dereference on udc->lock. Fix this by moving the null check
+on udc before the lock occurs.
+
+Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
+Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vudc_sysfs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/usbip/vudc_sysfs.c
++++ b/drivers/usb/usbip/vudc_sysfs.c
+@@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic
+ if (rv != 0)
+ return -EINVAL;
+
++ if (!udc) {
++ dev_err(dev, "no device");
++ return -ENODEV;
++ }
+ spin_lock_irqsave(&udc->lock, flags);
+ /* Don't export what we don't have */
+- if (!udc || !udc->driver || !udc->pullup) {
+- dev_err(dev, "no device or gadget not bound");
++ if (!udc->driver || !udc->pullup) {
++ dev_err(dev, "gadget not bound");
+ ret = -ENODEV;
+ goto unlock;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
