--- /dev/null
+From 99fee508245825765ff60155fed43f970ff83a8f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 11 Oct 2017 16:39:02 +0200
+Subject: ALSA: caiaq: Fix stray URB at probe error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 99fee508245825765ff60155fed43f970ff83a8f upstream.
+
+caiaq driver doesn't kill the URB properly at its error path during
+the probe, which may lead to a use-after-free error later. This patch
+addresses it.
+
+Reported-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/caiaq/device.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia
+
+ err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL, 0);
+ if (err)
+- return err;
++ goto err_kill_urb;
+
+- if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ))
+- return -ENODEV;
++ if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) {
++ err = -ENODEV;
++ goto err_kill_urb;
++ }
+
+ usb_string(usb_dev, usb_dev->descriptor.iManufacturer,
+ cdev->vendor_name, CAIAQ_USB_STR_LEN);
+@@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia
+
+ setup_card(cdev);
+ return 0;
++
++ err_kill_urb:
++ usb_kill_urb(&cdev->ep1_in_urb);
++ return err;
+ }
+
+ static int snd_probe(struct usb_interface *intf,
--- /dev/null
+From c95072b3d88fac4be295815f2b67df366c0c297f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 14:51:23 +0200
+Subject: ALSA: line6: Fix leftover URB at error-path during probe
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c95072b3d88fac4be295815f2b67df366c0c297f upstream.
+
+While line6_probe() may kick off URB for a control MIDI endpoint, the
+function doesn't clean up it properly at its error path. This results
+in a leftover URB action that is eventually triggered later and causes
+an Oops like:
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted
+ RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619
+ RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76
+ Call Trace:
+ <IRQ>
+ line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326
+ __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
+ usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845
+ dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965
+ call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281
+ ....
+
+Since the whole clean-up procedure is done in line6_disconnect()
+callback, we can simply call it in the error path instead of
+open-coding the whole again. It'll fix such an issue automagically.
+
+The bug was spotted by syzkaller.
+
+Fixes: eedd0e95d355 ("ALSA: line6: Don't forget to call driver's destructor at error path")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/driver.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -775,9 +775,10 @@ int line6_probe(struct usb_interface *in
+ return 0;
+
+ error:
+- if (line6->disconnect)
+- line6->disconnect(line6);
+- snd_card_free(card);
++ /* we can call disconnect callback here because no close-sync is
++ * needed yet at this point
++ */
++ line6_disconnect(interface);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(line6_probe);
--- /dev/null
+From cb02ffc76a53b5ea751b79b8d4f4d180e5868475 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 14:32:15 +0200
+Subject: ALSA: line6: Fix missing initialization before error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit cb02ffc76a53b5ea751b79b8d4f4d180e5868475 upstream.
+
+The error path in podhd_init() tries to clear the pending timer, while
+the timer object is initialized at the end of init sequence, thus it
+may hit the uninitialized object, as spotted by syzkaller:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted
+ 4.14.0-rc2-42613-g1488251d1a98 #238
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: usb_hub_wq hub_event
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
+ __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
+ lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
+ del_timer_sync+0x12c/0x280 kernel/time/timer.c:1237
+ podhd_disconnect+0x8c/0x160 sound/usb/line6/podhd.c:299
+ line6_probe+0x844/0x1310 sound/usb/line6/driver.c:783
+ podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
+ ....
+
+For addressing it, assure the initializations of timer and work by
+moving them to the beginning of podhd_init().
+
+Fixes: 790869dacc3d ("ALSA: line6: Add support for POD X3")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -307,6 +307,9 @@ static int podhd_init(struct usb_line6 *
+
+ line6->disconnect = podhd_disconnect;
+
++ init_timer(&pod->startup_timer);
++ INIT_WORK(&pod->startup_work, podhd_startup_workqueue);
++
+ if (pod->line6.properties->capabilities & LINE6_CAP_CONTROL) {
+ /* create sysfs entries: */
+ err = snd_card_add_dev_attr(line6->card, &podhd_dev_attr_group);
+@@ -330,8 +333,6 @@ static int podhd_init(struct usb_line6 *
+ }
+
+ /* init device and delay registering */
+- init_timer(&pod->startup_timer);
+- INIT_WORK(&pod->startup_work, podhd_startup_workqueue);
+ podhd_startup(pod);
+ return 0;
+ }
--- /dev/null
+From 5803b023881857db32ffefa0d269c90280a67ee0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 10:02:56 +0200
+Subject: ALSA: seq: Fix copy_from_user() call inside lock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream.
+
+The event handler in the virmidi sequencer code takes a read-lock for
+the linked list traverse, while it's calling snd_seq_dump_var_event()
+in the loop. The latter function may expand the user-space data
+depending on the event type. It eventually invokes copy_from_user(),
+which might be a potential dead-lock.
+
+The sequencer core guarantees that the user-space data is passed only
+with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
+and always takes read-lock(). For avoiding the problem above, this
+patch introduces rwsem for non-atomic case, while keeping rwlock for
+atomic case.
+
+Also while we're at it: the superfluous irq flags is dropped in
+snd_virmidi_input_open().
+
+Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/seq_virmidi.h | 1 +
+ sound/core/seq/seq_virmidi.c | 27 +++++++++++++++++++--------
+ 2 files changed, 20 insertions(+), 8 deletions(-)
+
+--- a/include/sound/seq_virmidi.h
++++ b/include/sound/seq_virmidi.h
+@@ -60,6 +60,7 @@ struct snd_virmidi_dev {
+ int port; /* created/attached port */
+ unsigned int flags; /* SNDRV_VIRMIDI_* */
+ rwlock_t filelist_lock;
++ struct rw_semaphore filelist_sem;
+ struct list_head filelist;
+ };
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc
+ * decode input event and put to read buffer of each opened file
+ */
+ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev,
+- struct snd_seq_event *ev)
++ struct snd_seq_event *ev,
++ bool atomic)
+ {
+ struct snd_virmidi *vmidi;
+ unsigned char msg[4];
+ int len;
+
+- read_lock(&rdev->filelist_lock);
++ if (atomic)
++ read_lock(&rdev->filelist_lock);
++ else
++ down_read(&rdev->filelist_sem);
+ list_for_each_entry(vmidi, &rdev->filelist, list) {
+ if (!vmidi->trigger)
+ continue;
+@@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event
+ snd_rawmidi_receive(vmidi->substream, msg, len);
+ }
+ }
+- read_unlock(&rdev->filelist_lock);
++ if (atomic)
++ read_unlock(&rdev->filelist_lock);
++ else
++ up_read(&rdev->filelist_sem);
+
+ return 0;
+ }
+@@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi
+ struct snd_virmidi_dev *rdev;
+
+ rdev = rmidi->private_data;
+- return snd_virmidi_dev_receive_event(rdev, ev);
++ return snd_virmidi_dev_receive_event(rdev, ev, true);
+ }
+ #endif /* 0 */
+
+@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc
+ rdev = private_data;
+ if (!(rdev->flags & SNDRV_VIRMIDI_USE))
+ return 0; /* ignored */
+- return snd_virmidi_dev_receive_event(rdev, ev);
++ return snd_virmidi_dev_receive_event(rdev, ev, atomic);
+ }
+
+ /*
+@@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct
+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+ struct snd_virmidi *vmidi;
+- unsigned long flags;
+
+ vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL);
+ if (vmidi == NULL)
+@@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct
+ vmidi->client = rdev->client;
+ vmidi->port = rdev->port;
+ runtime->private_data = vmidi;
+- write_lock_irqsave(&rdev->filelist_lock, flags);
++ down_write(&rdev->filelist_sem);
++ write_lock_irq(&rdev->filelist_lock);
+ list_add_tail(&vmidi->list, &rdev->filelist);
+- write_unlock_irqrestore(&rdev->filelist_lock, flags);
++ write_unlock_irq(&rdev->filelist_lock);
++ up_write(&rdev->filelist_sem);
+ vmidi->rdev = rdev;
+ return 0;
+ }
+@@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc
+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
+ struct snd_virmidi *vmidi = substream->runtime->private_data;
+
++ down_write(&rdev->filelist_sem);
+ write_lock_irq(&rdev->filelist_lock);
+ list_del(&vmidi->list);
+ write_unlock_irq(&rdev->filelist_lock);
++ up_write(&rdev->filelist_sem);
+ snd_midi_event_free(vmidi->parser);
+ substream->runtime->private_data = NULL;
+ kfree(vmidi);
+@@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car
+ rdev->rmidi = rmidi;
+ rdev->device = device;
+ rdev->client = -1;
++ init_rwsem(&rdev->filelist_sem);
+ rwlock_init(&rdev->filelist_lock);
+ INIT_LIST_HEAD(&rdev->filelist);
+ rdev->seq_mode = SNDRV_VIRMIDI_SEQ_DISPATCH;
--- /dev/null
+From 71105998845fb012937332fe2e806d443c09e026 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 11:09:20 +0200
+Subject: ALSA: seq: Fix use-after-free at creating a port
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 71105998845fb012937332fe2e806d443c09e026 upstream.
+
+There is a potential race window opened at creating and deleting a
+port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
+a port object and returns its pointer, but it doesn't take the
+refcount, thus it can be deleted immediately by another thread.
+Meanwhile, snd_seq_ioctl_create_port() still calls the function
+snd_seq_system_client_ev_port_start() with the created port object
+that is being deleted, and this triggers use-after-free like:
+
+ BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
+ =============================================================================
+ BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
+ -----------------------------------------------------------------------------
+ INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
+ ___slab_alloc+0x425/0x460
+ __slab_alloc+0x20/0x40
+ kmem_cache_alloc_trace+0x150/0x190
+ snd_seq_create_port+0x94/0x9b0 [snd_seq]
+ snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
+ snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ snd_seq_ioctl+0x40/0x80 [snd_seq]
+ do_vfs_ioctl+0x54b/0xda0
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x16/0x75
+ INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
+ __slab_free+0x204/0x310
+ kfree+0x15f/0x180
+ port_delete+0x136/0x1a0 [snd_seq]
+ snd_seq_delete_port+0x235/0x350 [snd_seq]
+ snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
+ snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ snd_seq_ioctl+0x40/0x80 [snd_seq]
+ do_vfs_ioctl+0x54b/0xda0
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x16/0x75
+ Call Trace:
+ [<ffffffff81b03781>] dump_stack+0x63/0x82
+ [<ffffffff81531b3b>] print_trailer+0xfb/0x160
+ [<ffffffff81536db4>] object_err+0x34/0x40
+ [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
+ [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
+ [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
+ [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
+ [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
+ [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
+ [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
+ [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
+ [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
+ .....
+
+We may fix this in a few different ways, and in this patch, it's fixed
+simply by taking the refcount properly at snd_seq_create_port() and
+letting the caller unref the object after use. Also, there is another
+potential use-after-free by sprintf() call in snd_seq_create_port(),
+and this is moved inside the lock.
+
+This fix covers CVE-2017-15265.
+
+Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 6 +++++-
+ sound/core/seq/seq_ports.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(str
+ struct snd_seq_port_info *info = arg;
+ struct snd_seq_client_port *port;
+ struct snd_seq_port_callback *callback;
++ int port_idx;
+
+ /* it is not allowed to create the port for an another client */
+ if (info->addr.client != client->number)
+@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(str
+ return -ENOMEM;
+
+ if (client->type == USER_CLIENT && info->kernel) {
+- snd_seq_delete_port(client, port->addr.port);
++ port_idx = port->addr.port;
++ snd_seq_port_unlock(port);
++ snd_seq_delete_port(client, port_idx);
+ return -EINVAL;
+ }
+ if (client->type == KERNEL_CLIENT) {
+@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(str
+
+ snd_seq_set_port_info(port, info);
+ snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
++ snd_seq_port_unlock(port);
+
+ return 0;
+ }
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -122,7 +122,9 @@ static void port_subs_info_init(struct s
+ }
+
+
+-/* create a port, port number is returned (-1 on failure) */
++/* create a port, port number is returned (-1 on failure);
++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
++ */
+ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
+ int port)
+ {
+@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_crea
+ snd_use_lock_init(&new_port->use_lock);
+ port_subs_info_init(&new_port->c_src);
+ port_subs_info_init(&new_port->c_dest);
++ snd_use_lock_use(&new_port->use_lock);
+
+ num = port >= 0 ? port : 0;
+ mutex_lock(&client->ports_mutex);
+@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_crea
+ list_add_tail(&new_port->list, &p->list);
+ client->num_ports++;
+ new_port->addr.port = num; /* store the port number in the port */
++ sprintf(new_port->name, "port-%d", num);
+ write_unlock_irqrestore(&client->ports_lock, flags);
+ mutex_unlock(&client->ports_mutex);
+- sprintf(new_port->name, "port-%d", num);
+
+ return new_port;
+ }
--- /dev/null
+From 124751d5e63c823092060074bd0abaae61aaa9c4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 10 Oct 2017 14:10:32 +0200
+Subject: ALSA: usb-audio: Kill stray URB at exiting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream.
+
+USB-audio driver may leave a stray URB for the mixer interrupt when it
+exits by some error during probe. This leads to a use-after-free
+error as spotted by syzkaller like:
+ ==================================================================
+ BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
+ Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351
+ kasan_report+0x23d/0x350 mm/kasan/report.c:409
+ __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
+ snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
+ __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
+ ....
+
+ Allocated by task 1484:
+ save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
+ kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
+ kmalloc ./include/linux/slab.h:493
+ kzalloc ./include/linux/slab.h:666
+ snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
+ create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
+ snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
+ create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
+ snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
+ usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
+ ....
+
+ Freed by task 1484:
+ save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459
+ kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
+ slab_free_hook mm/slub.c:1390
+ slab_free_freelist_hook mm/slub.c:1412
+ slab_free mm/slub.c:2988
+ kfree+0xf6/0x2f0 mm/slub.c:3919
+ snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
+ snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
+ __snd_device_free+0x1ff/0x380 sound/core/device.c:91
+ snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
+ snd_card_do_free sound/core/init.c:461
+ release_card_device+0x47/0x170 sound/core/init.c:181
+ device_release+0x13f/0x210 drivers/base/core.c:814
+ ....
+
+Actually such a URB is killed properly at disconnection when the
+device gets probed successfully, and what we need is to apply it for
+the error-path, too.
+
+In this patch, we apply snd_usb_mixer_disconnect() at releasing.
+Also introduce a new flag, disconnected, to struct usb_mixer_interface
+for not performing the disconnection procedure twice.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 12 ++++++++++--
+ sound/usb/mixer.h | 2 ++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2228,6 +2228,9 @@ static int parse_audio_unit(struct mixer
+
+ static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
+ {
++ /* kill pending URBs */
++ snd_usb_mixer_disconnect(mixer);
++
+ kfree(mixer->id_elems);
+ if (mixer->urb) {
+ kfree(mixer->urb->transfer_buffer);
+@@ -2578,8 +2581,13 @@ _error:
+
+ void snd_usb_mixer_disconnect(struct usb_mixer_interface *mixer)
+ {
+- usb_kill_urb(mixer->urb);
+- usb_kill_urb(mixer->rc_urb);
++ if (mixer->disconnected)
++ return;
++ if (mixer->urb)
++ usb_kill_urb(mixer->urb);
++ if (mixer->rc_urb)
++ usb_kill_urb(mixer->rc_urb);
++ mixer->disconnected = true;
+ }
+
+ #ifdef CONFIG_PM
+--- a/sound/usb/mixer.h
++++ b/sound/usb/mixer.h
+@@ -22,6 +22,8 @@ struct usb_mixer_interface {
+ struct urb *rc_urb;
+ struct usb_ctrlrequest *rc_setup_packet;
+ u8 rc_buffer[6];
++
++ bool disconnected;
+ };
+
+ #define MAX_CHANNELS 16 /* max logical channels */
--- /dev/null
+From 1cfd0ddd82232804e03f3023f6a58b50dfef0574 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 24 Sep 2017 10:21:15 -0400
+Subject: bio_copy_user_iov(): don't ignore ->iov_offset
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 1cfd0ddd82232804e03f3023f6a58b50dfef0574 upstream.
+
+Since "block: support large requests in blk_rq_map_user_iov" we
+started to call it with partially drained iter; that works fine
+on the write side, but reads create a copy of iter for completion
+time. And that needs to take the possibility of ->iov_iter != 0
+into account...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1171,8 +1171,8 @@ struct bio *bio_copy_user_iov(struct req
+ */
+ bmd->is_our_pages = map_data ? 0 : 1;
+ memcpy(bmd->iov, iter->iov, sizeof(struct iovec) * iter->nr_segs);
+- iov_iter_init(&bmd->iter, iter->type, bmd->iov,
+- iter->nr_segs, iter->count);
++ bmd->iter = *iter;
++ bmd->iter.iov = bmd->iov;
+
+ ret = -ENOMEM;
+ bio = bio_kmalloc(gfp_mask, nr_pages);
--- /dev/null
+From b61907bb42409adf9b3120f741af7c57dd7e3db2 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 9 Oct 2017 23:30:02 +0800
+Subject: crypto: shash - Fix zero-length shash ahash digest crash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream.
+
+The shash ahash digest adaptor function may crash if given a
+zero-length input together with a null SG list. This is because
+it tries to read the SG list before looking at the length.
+
+This patch fixes it by checking the length first.
+
+Reported-by: Stephan Müller<smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/shash.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -274,12 +274,14 @@ static int shash_async_finup(struct ahas
+
+ int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc)
+ {
+- struct scatterlist *sg = req->src;
+- unsigned int offset = sg->offset;
+ unsigned int nbytes = req->nbytes;
++ struct scatterlist *sg;
++ unsigned int offset;
+ int err;
+
+- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) {
++ if (nbytes &&
++ (sg = req->src, offset = sg->offset,
++ nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) {
+ void *data;
+
+ data = kmap_atomic(sg_page(sg));
--- /dev/null
+From 5ab894aee0f171a682bcd90dd5d1930cb53c55dc Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Mon, 9 Oct 2017 16:28:37 +0300
+Subject: device property: Track owner device of device property
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+commit 5ab894aee0f171a682bcd90dd5d1930cb53c55dc upstream.
+
+Deletion of subdevice will remove device properties associated to parent
+when they share the same firmware node after commit 478573c93abd (driver
+core: Don't leak secondary fwnode on device removal). This was observed
+with a driver adding subdevice that driver wasn't able to read device
+properties after rmmod/modprobe cycle.
+
+Consider the lifecycle of it:
+
+parent device registration
+ ACPI_COMPANION_SET()
+ device_add_properties()
+ pset_copy_set()
+ set_secondary_fwnode(dev, &p->fwnode)
+ device_add()
+
+parent probe
+ read device properties
+ ACPI_COMPANION_SET(subdevice, ACPI_COMPANION(parent))
+ device_add(subdevice)
+
+parent remove
+ device_del(subdevice)
+ device_remove_properties()
+ set_secondary_fwnode(dev, NULL);
+ pset_free()
+
+Parent device will have its primary firmware node pointing to an ACPI
+node and secondary firmware node point to device properties.
+
+ACPI_COMPANION_SET() call in parent probe will set the subdevice's
+firmware node to point to the same 'struct fwnode_handle' and the
+associated secondary firmware node, i.e. the device properties as the
+parent.
+
+When subdevice is deleted in parent remove that will remove those
+device properties and attempt to read device properties in next
+parent probe call will fail.
+
+Fix this by tracking the owner device of device properties and delete
+them only when owner device is being deleted.
+
+Fixes: 478573c93abd (driver core: Don't leak secondary fwnode on device removal)
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/property.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/base/property.c
++++ b/drivers/base/property.c
+@@ -20,6 +20,7 @@
+ #include <linux/phy.h>
+
+ struct property_set {
++ struct device *dev;
+ struct fwnode_handle fwnode;
+ struct property_entry *properties;
+ };
+@@ -817,6 +818,7 @@ static struct property_set *pset_copy_se
+ void device_remove_properties(struct device *dev)
+ {
+ struct fwnode_handle *fwnode;
++ struct property_set *pset;
+
+ fwnode = dev_fwnode(dev);
+ if (!fwnode)
+@@ -826,16 +828,16 @@ void device_remove_properties(struct dev
+ * the pset. If there is no real firmware node (ACPI/DT) primary
+ * will hold the pset.
+ */
+- if (is_pset_node(fwnode)) {
++ pset = to_pset_node(fwnode);
++ if (pset) {
+ set_primary_fwnode(dev, NULL);
+- pset_free_set(to_pset_node(fwnode));
+ } else {
+- fwnode = fwnode->secondary;
+- if (!IS_ERR(fwnode) && is_pset_node(fwnode)) {
++ pset = to_pset_node(fwnode->secondary);
++ if (pset && dev == pset->dev)
+ set_secondary_fwnode(dev, NULL);
+- pset_free_set(to_pset_node(fwnode));
+- }
+ }
++ if (pset && dev == pset->dev)
++ pset_free_set(pset);
+ }
+ EXPORT_SYMBOL_GPL(device_remove_properties);
+
+@@ -863,6 +865,7 @@ int device_add_properties(struct device
+
+ p->fwnode.type = FWNODE_PDATA;
+ set_secondary_fwnode(dev, &p->fwnode);
++ p->dev = dev;
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(device_add_properties);
--- /dev/null
+From 899f0429c7d3eed886406cd72182bee3b96aa1f9 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 9 Oct 2017 11:13:18 +0200
+Subject: direct-io: Prevent NULL pointer access in submit_page_section
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 899f0429c7d3eed886406cd72182bee3b96aa1f9 upstream.
+
+In the code added to function submit_page_section by commit b1058b981,
+sdio->bio can currently be NULL when calling dio_bio_submit. This then
+leads to a NULL pointer access in dio_bio_submit, so check for a NULL
+bio in submit_page_section before trying to submit it instead.
+
+Fixes xfstest generic/250 on gfs2.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/direct-io.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/direct-io.c
++++ b/fs/direct-io.c
+@@ -835,7 +835,8 @@ out:
+ */
+ if (sdio->boundary) {
+ ret = dio_send_cur_page(dio, sdio, map_bh);
+- dio_bio_submit(dio, sdio);
++ if (sdio->bio)
++ dio_bio_submit(dio, sdio);
+ put_page(sdio->cur_page);
+ sdio->cur_page = NULL;
+ }
--- /dev/null
+From 87a2f622cc6446c7d09ac655b7b9b04886f16a4c Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Mon, 18 Sep 2017 11:16:26 +0300
+Subject: dmaengine: edma: Align the memcpy acnt array size with the transfer
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 87a2f622cc6446c7d09ac655b7b9b04886f16a4c upstream.
+
+Memory to Memory transfers does not have any special alignment needs
+regarding to acnt array size, but if one of the areas are in memory mapped
+regions (like PCIe memory), we need to make sure that the acnt array size
+is aligned with the mem copy parameters.
+
+Before "dmaengine: edma: Optimize memcpy operation" change the memcpy was set
+up in a different way: acnt == number of bytes in a word based on
+__ffs((src | dest | len), bcnt and ccnt for looping the necessary number of
+words to comlete the trasnfer.
+
+Instead of reverting the commit we can fix it to make sure that the ACNT size
+is aligned to the traswnfer.
+
+Fixes: df6694f80365a (dmaengine: edma: Optimize memcpy operation)
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/edma.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma/edma.c
++++ b/drivers/dma/edma.c
+@@ -1143,11 +1143,24 @@ static struct dma_async_tx_descriptor *e
+ struct edma_desc *edesc;
+ struct device *dev = chan->device->dev;
+ struct edma_chan *echan = to_edma_chan(chan);
+- unsigned int width, pset_len;
++ unsigned int width, pset_len, array_size;
+
+ if (unlikely(!echan || !len))
+ return NULL;
+
++ /* Align the array size (acnt block) with the transfer properties */
++ switch (__ffs((src | dest | len))) {
++ case 0:
++ array_size = SZ_32K - 1;
++ break;
++ case 1:
++ array_size = SZ_32K - 2;
++ break;
++ default:
++ array_size = SZ_32K - 4;
++ break;
++ }
++
+ if (len < SZ_64K) {
+ /*
+ * Transfer size less than 64K can be handled with one paRAM
+@@ -1169,7 +1182,7 @@ static struct dma_async_tx_descriptor *e
+ * When the full_length is multibple of 32767 one slot can be
+ * used to complete the transfer.
+ */
+- width = SZ_32K - 1;
++ width = array_size;
+ pset_len = rounddown(len, width);
+ /* One slot is enough for lengths multiple of (SZ_32K -1) */
+ if (unlikely(pset_len == len))
+@@ -1217,7 +1230,7 @@ static struct dma_async_tx_descriptor *e
+ }
+ dest += pset_len;
+ src += pset_len;
+- pset_len = width = len % (SZ_32K - 1);
++ pset_len = width = len % array_size;
+
+ ret = edma_config_pset(chan, &edesc->pset[1], src, dest, 1,
+ width, pset_len, DMA_MEM_TO_MEM);
--- /dev/null
+From 2ccb4837c938357233a0b8818e3ca3e58242c952 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Thu, 21 Sep 2017 14:35:32 +0300
+Subject: dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 2ccb4837c938357233a0b8818e3ca3e58242c952 upstream.
+
+When looking for unused xbar_out lane we should also protect the set_bit()
+call with the same mutex to protect against concurrent threads picking the
+same ID.
+
+Fixes: ec9bfa1e1a796 ("dmaengine: ti-dma-crossbar: dra7: Use bitops instead of idr")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/ti-dma-crossbar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -262,13 +262,14 @@ static void *ti_dra7_xbar_route_allocate
+ mutex_lock(&xbar->mutex);
+ map->xbar_out = find_first_zero_bit(xbar->dma_inuse,
+ xbar->dma_requests);
+- mutex_unlock(&xbar->mutex);
+ if (map->xbar_out == xbar->dma_requests) {
++ mutex_unlock(&xbar->mutex);
+ dev_err(&pdev->dev, "Run out of free DMA requests\n");
+ kfree(map);
+ return ERR_PTR(-ENOMEM);
+ }
+ set_bit(map->xbar_out, xbar->dma_inuse);
++ mutex_unlock(&xbar->mutex);
+
+ map->xbar_in = (u16)dma_spec->args[0];
+
--- /dev/null
+From ea850f64c2722278f150dc11de2141baeb24211c Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 28 Sep 2017 11:21:57 +0300
+Subject: drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit ea850f64c2722278f150dc11de2141baeb24211c upstream.
+
+While technically CHV isn't DDI, we do look at the VBT based DDI port
+info for HDMI DDC pin and DP AUX channel. (We call these "alternate",
+but they're really just something that aren't platform defaults.)
+
+In commit e4ab73a13291 ("drm/i915: Respect alternate_ddc_pin for all DDI
+ports") Ville writes, "IIRC there may be CHV system that might actually
+need this."
+
+I'm not sure why there couldn't be even more platforms that need this,
+but start conservative, and parse the info for CHV in addition to DDI.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100553
+Reported-by: Marek Wilczewski <mw@3cte.pl>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/d0815082cb98487618429b62414854137049b888.1506586821.git.jani.nikula@intel.com
+(cherry picked from commit 348e4058ebf53904e817eec7a1b25327143c2ed2)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1219,7 +1219,7 @@ static void parse_ddi_ports(struct drm_i
+ {
+ enum port port;
+
+- if (!HAS_DDI(dev_priv))
++ if (!HAS_DDI(dev_priv) && !IS_CHERRYVIEW(dev_priv))
+ return;
+
+ if (!dev_priv->vbt.child_dev_num)
--- /dev/null
+From d7ba25bd9ef802ff02414e9105f4222d1795f27a Mon Sep 17 00:00:00 2001
+From: Manasi Navare <manasi.d.navare@intel.com>
+Date: Wed, 4 Oct 2017 09:48:26 -0700
+Subject: drm/i915/edp: Get the Panel Power Off timestamp after panel is off
+
+From: Manasi Navare <manasi.d.navare@intel.com>
+
+commit d7ba25bd9ef802ff02414e9105f4222d1795f27a upstream.
+
+Kernel stores the time in jiffies at which the eDP panel is turned
+off. This should be obtained after the panel is off (after the
+wait_panel_off). When we next attempt to turn the panel on, we use the
+difference between the timestamp at which we want to turn the panel on
+and timestamp at which panel was turned off to ensure that this is equal
+to panel power cycle delay and if not we wait for the remaining
+time. Not waiting for the panel power cycle delay can cause the panel to
+not turn on giving rise to AUX timeouts for the attempted AUX
+transactions.
+
+v2:
+* Separate lines for bugzilla (Jani Nikula)
+* Suggested by tag (Daniel Vetter)
+
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101518
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101144
+Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Manasi Navare <manasi.d.navare@intel.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Jani Nikula <jani.nikula@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1507135706-17147-1-git-send-email-manasi.d.navare@intel.com
+(cherry picked from commit cbacf02e7796fea02e5c6e46c90ed7cbe9e6f2c0)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -2193,8 +2193,8 @@ static void edp_panel_off(struct intel_d
+ I915_WRITE(pp_ctrl_reg, pp);
+ POSTING_READ(pp_ctrl_reg);
+
+- intel_dp->panel_power_off_time = ktime_get_boottime();
+ wait_panel_off(intel_dp);
++ intel_dp->panel_power_off_time = ktime_get_boottime();
+
+ /* We got a reference when we enabled the VDD. */
+ power_domain = intel_display_port_aux_power_domain(intel_encoder);
--- /dev/null
+From 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Fri, 1 Apr 2016 18:37:25 +0300
+Subject: drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 upstream.
+
+intel_crtc->config->cpu_transcoder isn't yet filled out when
+intel_crtc_mode_get() gets called during output probing, so we should
+not use it there. Instead intel_crtc_mode_get() figures out the correct
+transcoder on its own, and that's what we should use.
+
+If the BIOS boots LVDS on pipe B, intel_crtc_mode_get() would actually
+end up reading the timings from pipe A instead (since PIPE_A==0),
+which clearly isn't what we want.
+
+It looks to me like this may have been broken by
+commit eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder")
+as that one removed the early initialization of cpu_transcoder from
+intel_crtc_init().
+
+Cc: dri-devel@lists.freedesktop.org
+Cc: Rob Kramer <rob@solution-space.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reported-by: Rob Kramer <rob@solution-space.com>
+Fixes: eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder")
+References: https://lists.freedesktop.org/archives/dri-devel/2016-April/104142.html
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/1459525046-19425-1-git-send-email-ville.syrjala@linux.intel.com
+(cherry picked from commit e30a154b5262b967b133b06ac40777e651045898)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -11471,13 +11471,10 @@ struct drm_display_mode *intel_crtc_mode
+ {
+ struct drm_i915_private *dev_priv = to_i915(dev);
+ struct intel_crtc *intel_crtc = to_intel_crtc(crtc);
+- enum transcoder cpu_transcoder = intel_crtc->config->cpu_transcoder;
++ enum transcoder cpu_transcoder;
+ struct drm_display_mode *mode;
+ struct intel_crtc_state *pipe_config;
+- int htot = I915_READ(HTOTAL(cpu_transcoder));
+- int hsync = I915_READ(HSYNC(cpu_transcoder));
+- int vtot = I915_READ(VTOTAL(cpu_transcoder));
+- int vsync = I915_READ(VSYNC(cpu_transcoder));
++ u32 htot, hsync, vtot, vsync;
+ enum pipe pipe = intel_crtc->pipe;
+
+ mode = kzalloc(sizeof(*mode), GFP_KERNEL);
+@@ -11505,6 +11502,13 @@ struct drm_display_mode *intel_crtc_mode
+ i9xx_crtc_clock_get(intel_crtc, pipe_config);
+
+ mode->clock = pipe_config->port_clock / pipe_config->pixel_multiplier;
++
++ cpu_transcoder = pipe_config->cpu_transcoder;
++ htot = I915_READ(HTOTAL(cpu_transcoder));
++ hsync = I915_READ(HSYNC(cpu_transcoder));
++ vtot = I915_READ(VTOTAL(cpu_transcoder));
++ vsync = I915_READ(VSYNC(cpu_transcoder));
++
+ mode->hdisplay = (htot & 0xffff) + 1;
+ mode->htotal = ((htot & 0xffff0000) >> 16) + 1;
+ mode->hsync_start = (hsync & 0xffff) + 1;
--- /dev/null
+From 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 Mon Sep 17 00:00:00 2001
+From: Vitaly Mayatskikh <v.mayatskih@gmail.com>
+Date: Fri, 22 Sep 2017 01:18:39 -0400
+Subject: fix unbalanced page refcounting in bio_map_user_iov
+
+From: Vitaly Mayatskikh <v.mayatskih@gmail.com>
+
+commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream.
+
+bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
+IO vector has small consecutive buffers belonging to the same page.
+bio_add_pc_page merges them into one, but the page reference is never
+dropped.
+
+Signed-off-by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1318,6 +1318,7 @@ struct bio *bio_map_user_iov(struct requ
+ offset = offset_in_page(uaddr);
+ for (j = cur_page; j < page_limit; j++) {
+ unsigned int bytes = PAGE_SIZE - offset;
++ unsigned short prev_bi_vcnt = bio->bi_vcnt;
+
+ if (len <= 0)
+ break;
+@@ -1332,6 +1333,13 @@ struct bio *bio_map_user_iov(struct requ
+ bytes)
+ break;
+
++ /*
++ * check if vector was merged with previous
++ * drop page reference if needed
++ */
++ if (bio->bi_vcnt == prev_bi_vcnt)
++ put_page(pages[j]);
++
+ len -= bytes;
+ offset = 0;
+ }
--- /dev/null
+From f892760aa66a2d657deaf59538fb69433036767c Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <willy@infradead.org>
+Date: Fri, 13 Oct 2017 15:58:15 -0700
+Subject: fs/mpage.c: fix mpage_writepage() for pages with buffers
+
+From: Matthew Wilcox <willy@infradead.org>
+
+commit f892760aa66a2d657deaf59538fb69433036767c upstream.
+
+When using FAT on a block device which supports rw_page, we can hit
+BUG_ON(!PageLocked(page)) in try_to_free_buffers(). This is because we
+call clean_buffers() after unlocking the page we've written. Introduce
+a new clean_page_buffers() which cleans all buffers associated with a
+page and call it from within bdev_write_page().
+
+[akpm@linux-foundation.org: s/PAGE_SIZE/~0U/ per Linus and Matthew]
+Link: http://lkml.kernel.org/r/20171006211541.GA7409@bombadil.infradead.org
+Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
+Reported-by: Toshi Kani <toshi.kani@hpe.com>
+Reported-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Tested-by: Toshi Kani <toshi.kani@hpe.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/block_dev.c | 6 ++++--
+ fs/mpage.c | 14 +++++++++++---
+ include/linux/buffer_head.h | 1 +
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -450,10 +450,12 @@ int bdev_write_page(struct block_device
+
+ set_page_writeback(page);
+ result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, true);
+- if (result)
++ if (result) {
+ end_page_writeback(page);
+- else
++ } else {
++ clean_page_buffers(page);
+ unlock_page(page);
++ }
+ blk_queue_exit(bdev->bd_queue);
+ return result;
+ }
+--- a/fs/mpage.c
++++ b/fs/mpage.c
+@@ -466,6 +466,16 @@ static void clean_buffers(struct page *p
+ try_to_free_buffers(page);
+ }
+
++/*
++ * For situations where we want to clean all buffers attached to a page.
++ * We don't need to calculate how many buffers are attached to the page,
++ * we just need to specify a number larger than the maximum number of buffers.
++ */
++void clean_page_buffers(struct page *page)
++{
++ clean_buffers(page, ~0U);
++}
++
+ static int __mpage_writepage(struct page *page, struct writeback_control *wbc,
+ void *data)
+ {
+@@ -604,10 +614,8 @@ alloc_new:
+ if (bio == NULL) {
+ if (first_unmapped == blocks_per_page) {
+ if (!bdev_write_page(bdev, blocks[0] << (blkbits - 9),
+- page, wbc)) {
+- clean_buffers(page, first_unmapped);
++ page, wbc))
+ goto out;
+- }
+ }
+ bio = mpage_alloc(bdev, blocks[0] << (blkbits - 9),
+ BIO_MAX_PAGES, GFP_NOFS|__GFP_HIGH);
+--- a/include/linux/buffer_head.h
++++ b/include/linux/buffer_head.h
+@@ -226,6 +226,7 @@ int generic_write_end(struct file *, str
+ loff_t, unsigned, unsigned,
+ struct page *, void *);
+ void page_zero_new_buffers(struct page *page, unsigned from, unsigned to);
++void clean_page_buffers(struct page *page);
+ int cont_write_begin(struct file *, struct address_space *, loff_t,
+ unsigned, unsigned, struct page **, void **,
+ get_block_t *, loff_t *);
--- /dev/null
+From f043bfc98c193c284e2cd768fefabe18ac2fed9b Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Thu, 28 Sep 2017 19:16:30 +0900
+Subject: HID: usbhid: fix out-of-bounds bug
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream.
+
+The hid descriptor identifies the length and type of subordinate
+descriptors for a device. If the received hid descriptor is smaller than
+the size of the struct hid_descriptor, it is possible to cause
+out-of-bounds.
+
+In addition, if bNumDescriptors of the hid descriptor have an incorrect
+value, this can also cause out-of-bounds while approaching hdesc->desc[n].
+
+So check the size of hid descriptor and bNumDescriptors.
+
+ BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
+ Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
+
+ CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
+ 4.14.0-rc1-42251-gebb2c2437d80 #169
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: usb_hub_wq hub_event
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351
+ kasan_report+0x22f/0x340 mm/kasan/report.c:409
+ __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
+ usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
+ hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
+ usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
+ usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
+ generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
+ usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
+ hub_port_connect drivers/usb/core/hub.c:4903
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hid-core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -971,6 +971,8 @@ static int usbhid_parse(struct hid_devic
+ unsigned int rsize = 0;
+ char *rdesc;
+ int ret, n;
++ int num_descriptors;
++ size_t offset = offsetof(struct hid_descriptor, desc);
+
+ quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
+ le16_to_cpu(dev->descriptor.idProduct));
+@@ -993,10 +995,18 @@ static int usbhid_parse(struct hid_devic
+ return -ENODEV;
+ }
+
++ if (hdesc->bLength < sizeof(struct hid_descriptor)) {
++ dbg_hid("hid descriptor is too short\n");
++ return -EINVAL;
++ }
++
+ hid->version = le16_to_cpu(hdesc->bcdHID);
+ hid->country = hdesc->bCountryCode;
+
+- for (n = 0; n < hdesc->bNumDescriptors; n++)
++ num_descriptors = min_t(int, hdesc->bNumDescriptors,
++ (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
++
++ for (n = 0; n < num_descriptors; n++)
+ if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
+ rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
+
--- /dev/null
+From ce76353f169a6471542d999baf3d29b121dce9c0 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 13 Oct 2017 14:32:37 +0200
+Subject: iommu/amd: Finish TLB flush in amd_iommu_unmap()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit ce76353f169a6471542d999baf3d29b121dce9c0 upstream.
+
+The function only sends the flush command to the IOMMU(s),
+but does not wait for its completion when it returns. Fix
+that.
+
+Fixes: 601367d76bd1 ('x86/amd-iommu: Remove iommu_flush_domain function')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3120,6 +3120,7 @@ static size_t amd_iommu_unmap(struct iom
+ mutex_unlock(&domain->api_lock);
+
+ domain_flush_tlb_pde(domain);
++ domain_flush_complete(domain);
+
+ return unmap_size;
+ }
--- /dev/null
+From 829ee279aed43faa5cb1e4d65c0cad52f2426c53 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 5 Oct 2017 11:10:23 +0200
+Subject: KVM: MMU: always terminate page walks at level 1
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit 829ee279aed43faa5cb1e4d65c0cad52f2426c53 upstream.
+
+is_last_gpte() is not equivalent to the pseudo-code given in commit
+6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
+value of last_nonleaf_level may override the result even if level == 1.
+
+It is critical for is_last_gpte() to return true on level == 1 to
+terminate page walks. Otherwise memory corruption may occur as level
+is used as an index to various data structures throughout the page
+walking code. Even though the actual bug would be wherever the MMU is
+initialized (as in the previous patch), be defensive and ensure here
+that is_last_gpte() returns the correct value.
+
+This patch is also enough to fix CVE-2017-12188.
+
+Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
+Cc: Andy Honig <ahonig@google.com>
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+[Panic if walk_addr_generic gets an incorrect level; this is a serious
+ bug and it's not worth a WARN_ON where the recovery path might hide
+ further exploitable issues; suggested by Andrew Honig. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 14 +++++++-------
+ arch/x86/kvm/paging_tmpl.h | 3 ++-
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -3649,19 +3649,19 @@ static inline bool is_last_gpte(struct k
+ unsigned level, unsigned gpte)
+ {
+ /*
+- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
+- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
+- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
+- */
+- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
+-
+- /*
+ * The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
+ * If it is clear, there are no large pages at this level, so clear
+ * PT_PAGE_SIZE_MASK in gpte if that is the case.
+ */
+ gpte &= level - mmu->last_nonleaf_level;
+
++ /*
++ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
++ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
++ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
++ */
++ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
++
+ return gpte & PT_PAGE_SIZE_MASK;
+ }
+
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -324,10 +324,11 @@ retry_walk:
+ --walker->level;
+
+ index = PT_INDEX(addr, walker->level);
+-
+ table_gfn = gpte_to_gfn(pte);
+ offset = index * sizeof(pt_element_t);
+ pte_gpa = gfn_to_gpa(table_gfn) + offset;
++
++ BUG_ON(walker->level < 1);
+ walker->table_gfn[walker->level - 1] = table_gfn;
+ walker->pte_gpa[walker->level - 1] = pte_gpa;
+
--- /dev/null
+From 8eb3f87d903168bdbd1222776a6b1e281f50513e Mon Sep 17 00:00:00 2001
+From: Haozhong Zhang <haozhong.zhang@intel.com>
+Date: Tue, 10 Oct 2017 15:01:22 +0800
+Subject: KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
+
+From: Haozhong Zhang <haozhong.zhang@intel.com>
+
+commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream.
+
+When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
+guest CR4. Before this CR4 loading, the guest CR4 refers to L2
+CR4. Because these two CR4's are in different levels of guest, we
+should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
+is used to handle guest writes to its CR4, checks the guest change to
+CR4 and may fail if the change is invalid.
+
+The failure may cause trouble. Consider we start
+ a L1 guest with non-zero L1 PCID in use,
+ (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
+and
+ a L2 guest with L2 PCID disabled,
+ (i.e. L2 CR4.PCIDE == 0)
+and following events may happen:
+
+1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
+ into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
+ of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
+ vcpu->arch.cr4) is left to the value of L2 CR4.
+
+2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
+ kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
+ because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
+ CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
+
+Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10690,7 +10690,7 @@ static void load_vmcs12_host_state(struc
+ * (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask();
+ */
+ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
+- kvm_set_cr4(vcpu, vmcs12->host_cr4);
++ vmx_set_cr4(vcpu, vmcs12->host_cr4);
+
+ nested_ept_uninit_mmu_context(vcpu);
+
--- /dev/null
+From ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 8 Sep 2017 15:12:21 -0700
+Subject: MIPS: math-emu: Remove pr_err() calls from fpu_emu()
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 upstream.
+
+The FPU emulator includes 2 calls to pr_err() which are triggered by
+invalid instruction encodings for MIPSr6 cmp.cond.fmt instructions.
+These cases are not kernel errors, merely invalid instructions which are
+already handled by delivering a SIGILL which will provide notification
+that something failed in cases where that makes sense.
+
+In cases where that SIGILL is somewhat expected & being handled, for
+example when crashme happens to generate one of the affected bad
+encodings, the message is printed with no useful context about what
+triggered it & spams the kernel log for no good reason.
+
+Remove the pr_err() calls to make crashme run silently & treat the bad
+encodings the same way we do others, with a SIGILL & no further kernel
+log output.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Fixes: f8c3c6717a71 ("MIPS: math-emu: Add support for the CMP.condn.fmt R6 instruction")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17253/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -2386,7 +2386,6 @@ dcopuop:
+ break;
+ default:
+ /* Reserved R6 ops */
+- pr_err("Reserved MIPS R6 CMP.condn.S operation\n");
+ return SIGILL;
+ }
+ }
+@@ -2460,7 +2459,6 @@ dcopuop:
+ break;
+ default:
+ /* Reserved R6 ops */
+- pr_err("Reserved MIPS R6 CMP.condn.D operation\n");
+ return SIGILL;
+ }
+ }
--- /dev/null
+From 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 23 Sep 2017 15:51:23 -0400
+Subject: more bio_map_user_iov() leak fixes
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream.
+
+we need to take care of failure exit as well - pages already
+in bio should be dropped by analogue of bio_unmap_pages(),
+since their refcounts had been bumped only once per reference
+in bio.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1266,6 +1266,7 @@ struct bio *bio_map_user_iov(struct requ
+ int ret, offset;
+ struct iov_iter i;
+ struct iovec iov;
++ struct bio_vec *bvec;
+
+ iov_for_each(iov, i, *iter) {
+ unsigned long uaddr = (unsigned long) iov.iov_base;
+@@ -1310,7 +1311,12 @@ struct bio *bio_map_user_iov(struct requ
+ ret = get_user_pages_fast(uaddr, local_nr_pages,
+ (iter->type & WRITE) != WRITE,
+ &pages[cur_page]);
+- if (ret < local_nr_pages) {
++ if (unlikely(ret < local_nr_pages)) {
++ for (j = cur_page; j < page_limit; j++) {
++ if (!pages[j])
++ break;
++ put_page(pages[j]);
++ }
+ ret = -EFAULT;
+ goto out_unmap;
+ }
+@@ -1372,10 +1378,8 @@ struct bio *bio_map_user_iov(struct requ
+ return bio;
+
+ out_unmap:
+- for (j = 0; j < nr_pages; j++) {
+- if (!pages[j])
+- break;
+- put_page(pages[j]);
++ bio_for_each_segment_all(bvec, bio, j) {
++ put_page(bvec->bv_page);
+ }
+ out:
+ kfree(pages);
--- /dev/null
+From 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Tue, 26 Sep 2017 15:51:28 +0200
+Subject: pinctrl/amd: Fix build dependency on pinmux code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Petr Mladek <pmladek@suse.com>
+
+commit 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de upstream.
+
+The commit 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over
+suspend/resume") caused the following compilation errors:
+
+drivers/pinctrl/pinctrl-amd.c: In function ‘amd_gpio_should_save’:
+drivers/pinctrl/pinctrl-amd.c:741:8: error: ‘const struct pin_desc’ has no member named ‘mux_owner’
+ if (pd->mux_owner || pd->gpio_owner ||
+ ^
+drivers/pinctrl/pinctrl-amd.c:741:25: error: ‘const struct pin_desc’ has no member named ‘gpio_owner’
+ if (pd->mux_owner || pd->gpio_owner ||
+
+We need to enable CONFIG_PINMUX for this driver as well.
+
+Fixes: 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over suspend/resume")
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pinctrl/Kconfig
++++ b/drivers/pinctrl/Kconfig
+@@ -82,6 +82,7 @@ config PINCTRL_AMD
+ tristate "AMD GPIO pin control"
+ depends on GPIOLIB
+ select GPIOLIB_IRQCHIP
++ select PINMUX
+ select PINCONF
+ select GENERIC_PINCONF
+ help
cifs-reconnect-expired-smb-sessions.patch
nl80211-define-policy-for-packet-pattern-attributes.patch
rcu-allow-for-page-faults-in-nmi-handlers.patch
+usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch
+mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch
+dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch
+dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch
+hid-usbhid-fix-out-of-bounds-bug.patch
+crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch
+kvm-mmu-always-terminate-page-walks-at-level-1.patch
+kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch
+usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch
+pinctrl-amd-fix-build-dependency-on-pinmux-code.patch
+iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch
+device-property-track-owner-device-of-device-property.patch
+fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch
+alsa-usb-audio-kill-stray-urb-at-exiting.patch
+alsa-seq-fix-use-after-free-at-creating-a-port.patch
+alsa-seq-fix-copy_from_user-call-inside-lock.patch
+alsa-caiaq-fix-stray-urb-at-probe-error-path.patch
+alsa-line6-fix-missing-initialization-before-error-path.patch
+alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch
+drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch
+drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch
+drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch
+usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch
+usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch
+direct-io-prevent-null-pointer-access-in-submit_page_section.patch
+fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch
+more-bio_map_user_iov-leak-fixes.patch
+bio_copy_user_iov-don-t-ignore-iov_offset.patch
+usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch
+usb-serial-cp210x-add-support-for-elv-tfd500.patch
+usb-serial-option-add-support-for-tp-link-lte-module.patch
+usb-serial-qcserial-add-dell-dw5818-dw5819.patch
+usb-serial-console-fix-use-after-free-after-failed-setup.patch
--- /dev/null
+From ab219221a5064abfff9f78c323c4a257b16cdb81 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 6 Oct 2017 10:27:44 -0400
+Subject: USB: dummy-hcd: Fix deadlock caused by disconnect detection
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream.
+
+The dummy-hcd driver calls the gadget driver's disconnect callback
+under the wrong conditions. It should invoke the callback when Vbus
+power is turned off, but instead it does so when the D+ pullup is
+turned off.
+
+This can cause a deadlock in the composite core when a gadget driver
+is unregistered:
+
+[ 88.361471] ============================================
+[ 88.362014] WARNING: possible recursive locking detected
+[ 88.362580] 4.14.0-rc2+ #9 Not tainted
+[ 88.363010] --------------------------------------------
+[ 88.363561] v4l_id/526 is trying to acquire lock:
+[ 88.364062] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547e03>] composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.365051]
+[ 88.365051] but task is already holding lock:
+[ 88.365826] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
+[ 88.366858]
+[ 88.366858] other info that might help us debug this:
+[ 88.368301] Possible unsafe locking scenario:
+[ 88.368301]
+[ 88.369304] CPU0
+[ 88.369701] ----
+[ 88.370101] lock(&(&cdev->lock)->rlock);
+[ 88.370623] lock(&(&cdev->lock)->rlock);
+[ 88.371145]
+[ 88.371145] *** DEADLOCK ***
+[ 88.371145]
+[ 88.372211] May be due to missing lock nesting notation
+[ 88.372211]
+[ 88.373191] 2 locks held by v4l_id/526:
+[ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
+[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [<ffffffffa05bd48d>] dummy_pullup+0x7d/0xf0 [dummy_hcd]
+[ 88.376289]
+[ 88.376289] stack backtrace:
+[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9
+[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[ 88.379504] Call Trace:
+[ 88.380019] dump_stack+0x86/0xc7
+[ 88.380605] __lock_acquire+0x841/0x1120
+[ 88.381252] lock_acquire+0xd5/0x1c0
+[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54
+[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite]
+[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd]
+[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd]
+[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core]
+[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core]
+[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite]
+[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
+
+This patch changes the code to test the port-power status bit rather
+than the port-connect status bit when deciding whether to isue the
+callback.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: David Tulloh <david@tulloh.id.au>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -420,6 +420,7 @@ static void set_link_state_by_speed(stru
+ static void set_link_state(struct dummy_hcd *dum_hcd)
+ {
+ struct dummy *dum = dum_hcd->dum;
++ unsigned int power_bit;
+
+ dum_hcd->active = 0;
+ if (dum->pullup)
+@@ -430,17 +431,19 @@ static void set_link_state(struct dummy_
+ return;
+
+ set_link_state_by_speed(dum_hcd);
++ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ?
++ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER);
+
+ if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 ||
+ dum_hcd->active)
+ dum_hcd->resuming = 0;
+
+ /* Currently !connected or in reset */
+- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 ||
++ if ((dum_hcd->port_status & power_bit) == 0 ||
+ (dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) {
+- unsigned disconnect = USB_PORT_STAT_CONNECTION &
++ unsigned int disconnect = power_bit &
+ dum_hcd->old_status & (~dum_hcd->port_status);
+- unsigned reset = USB_PORT_STAT_RESET &
++ unsigned int reset = USB_PORT_STAT_RESET &
+ (~dum_hcd->old_status) & dum_hcd->port_status;
+
+ /* Report reset and disconnect events to the driver */
--- /dev/null
+From aec17e1e249567e82b26dafbb86de7d07fde8729 Mon Sep 17 00:00:00 2001
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Date: Sat, 30 Sep 2017 08:55:55 -0700
+Subject: usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
+
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+
+commit aec17e1e249567e82b26dafbb86de7d07fde8729 upstream.
+
+KASAN enabled configuration reports an error
+
+ BUG: KASAN: use-after-free in usb_composite_overwrite_options+...
+ [libcomposite] at addr ...
+ Read of size 1 by task ...
+
+when some driver is un-bound and then bound again.
+For example, this happens with FunctionFS driver when "ffs-test"
+test application is run several times in a row.
+
+If the driver has empty manufacturer ID string in initial static data,
+it is then replaced with generated string. After driver unbinding
+the generated string is freed, but the driver data still keep that
+pointer. And if the driver is then bound again, that pointer
+is re-used for string emptiness check.
+
+The fix is to clean up the driver string data upon its unbinding
+to drop the pointer to freed memory.
+
+Fixes: cc2683c318a5 ("usb: gadget: Provide a default implementation of default manufacturer string")
+Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2018,6 +2018,8 @@ static DEVICE_ATTR_RO(suspended);
+ static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver)
+ {
+ struct usb_composite_dev *cdev = get_gadget_data(gadget);
++ struct usb_gadget_strings *gstr = cdev->driver->strings[0];
++ struct usb_string *dev_str = gstr->strings;
+
+ /* composite_disconnect() must already have been called
+ * by the underlying peripheral controller driver!
+@@ -2037,6 +2039,9 @@ static void __composite_unbind(struct us
+
+ composite_dev_cleanup(cdev);
+
++ if (dev_str[USB_GADGET_MANUFACTURER_IDX].s == cdev->def_manufacturer)
++ dev_str[USB_GADGET_MANUFACTURER_IDX].s = "";
++
+ kfree(cdev->def_manufacturer);
+ kfree(cdev);
+ set_gadget_data(gadget, NULL);
--- /dev/null
+From ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc Mon Sep 17 00:00:00 2001
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Date: Sat, 30 Sep 2017 08:54:52 -0700
+Subject: usb: gadget: configfs: Fix memory leak of interface directory data
+
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+
+commit ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc upstream.
+
+Kmemleak checking configuration reports a memory leak in
+usb_os_desc_prepare_interf_dir function when rndis function
+instance is freed and then allocated again. For example, this
+happens with FunctionFS driver with RNDIS function enabled
+when "ffs-test" test application is run several times in a row.
+
+The data for intermediate "os_desc" group for interface directories
+is allocated as a single VLA chunk and (after a change of default
+groups handling) is not ever freed and actually not stored anywhere
+besides inside a list of default groups of a parent group.
+
+The fix is to make usb_os_desc_prepare_interf_dir function return
+a pointer to allocated data (as a pointer to the first VLA item)
+instead of (an unused) integer and to make the caller component
+(currently the only one is RNDIS function) responsible for storing
+the pointer and freeing the memory when appropriate.
+
+Fixes: 1ae1602de028 ("configfs: switch ->default groups to a linked list")
+Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 15 ++++++++-------
+ drivers/usb/gadget/configfs.h | 11 ++++++-----
+ drivers/usb/gadget/function/f_rndis.c | 12 ++++++++++--
+ drivers/usb/gadget/function/u_rndis.h | 1 +
+ 4 files changed, 25 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1140,11 +1140,12 @@ static struct configfs_attribute *interf
+ NULL
+ };
+
+-int usb_os_desc_prepare_interf_dir(struct config_group *parent,
+- int n_interf,
+- struct usb_os_desc **desc,
+- char **names,
+- struct module *owner)
++struct config_group *usb_os_desc_prepare_interf_dir(
++ struct config_group *parent,
++ int n_interf,
++ struct usb_os_desc **desc,
++ char **names,
++ struct module *owner)
+ {
+ struct config_group *os_desc_group;
+ struct config_item_type *os_desc_type, *interface_type;
+@@ -1156,7 +1157,7 @@ int usb_os_desc_prepare_interf_dir(struc
+
+ char *vlabuf = kzalloc(vla_group_size(data_chunk), GFP_KERNEL);
+ if (!vlabuf)
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ os_desc_group = vla_ptr(vlabuf, data_chunk, os_desc_group);
+ os_desc_type = vla_ptr(vlabuf, data_chunk, os_desc_type);
+@@ -1181,7 +1182,7 @@ int usb_os_desc_prepare_interf_dir(struc
+ configfs_add_default_group(&d->group, os_desc_group);
+ }
+
+- return 0;
++ return os_desc_group;
+ }
+ EXPORT_SYMBOL(usb_os_desc_prepare_interf_dir);
+
+--- a/drivers/usb/gadget/configfs.h
++++ b/drivers/usb/gadget/configfs.h
+@@ -5,11 +5,12 @@
+
+ void unregister_gadget_item(struct config_item *item);
+
+-int usb_os_desc_prepare_interf_dir(struct config_group *parent,
+- int n_interf,
+- struct usb_os_desc **desc,
+- char **names,
+- struct module *owner);
++struct config_group *usb_os_desc_prepare_interf_dir(
++ struct config_group *parent,
++ int n_interf,
++ struct usb_os_desc **desc,
++ char **names,
++ struct module *owner);
+
+ static inline struct usb_os_desc *to_usb_os_desc(struct config_item *item)
+ {
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -892,6 +892,7 @@ static void rndis_free_inst(struct usb_f
+ free_netdev(opts->net);
+ }
+
++ kfree(opts->rndis_interf_group); /* single VLA chunk */
+ kfree(opts);
+ }
+
+@@ -900,6 +901,7 @@ static struct usb_function_instance *rnd
+ struct f_rndis_opts *opts;
+ struct usb_os_desc *descs[1];
+ char *names[1];
++ struct config_group *rndis_interf_group;
+
+ opts = kzalloc(sizeof(*opts), GFP_KERNEL);
+ if (!opts)
+@@ -920,8 +922,14 @@ static struct usb_function_instance *rnd
+ names[0] = "rndis";
+ config_group_init_type_name(&opts->func_inst.group, "",
+ &rndis_func_type);
+- usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs,
+- names, THIS_MODULE);
++ rndis_interf_group =
++ usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs,
++ names, THIS_MODULE);
++ if (IS_ERR(rndis_interf_group)) {
++ rndis_free_inst(&opts->func_inst);
++ return ERR_CAST(rndis_interf_group);
++ }
++ opts->rndis_interf_group = rndis_interf_group;
+
+ return &opts->func_inst;
+ }
+--- a/drivers/usb/gadget/function/u_rndis.h
++++ b/drivers/usb/gadget/function/u_rndis.h
+@@ -26,6 +26,7 @@ struct f_rndis_opts {
+ bool bound;
+ bool borrowed_net;
+
++ struct config_group *rndis_interf_group;
+ struct usb_os_desc rndis_os_desc;
+ char rndis_ext_compat_id[16];
+
--- /dev/null
+From 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 Mon Sep 17 00:00:00 2001
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+Date: Mon, 2 Oct 2017 14:01:41 +0900
+Subject: usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
+
+From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+
+commit 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 upstream.
+
+The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of
+USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a
+zero-length packet. Otherwise, a transfer completion interruption
+of USB-DMAC doesn't happen. Even if the driver changes the sequence,
+normal operations (transmit/receive without zero-length packet) will
+not cause any side-effects. So, this patch fixes the sequence anyway.
+
+Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
+[shimoda: revise the commit log]
+Fixes: e73a9891b3a1 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -860,9 +860,9 @@ static void xfer_work(struct work_struct
+ fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero);
+
+ usbhs_pipe_running(pipe, 1);
+- usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
+ dma_async_issue_pending(chan);
++ usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_enable(pipe);
+
+ xfer_work_end:
--- /dev/null
+From 299d7572e46f98534033a9e65973f13ad1ce9047 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Oct 2017 11:01:13 +0200
+Subject: USB: serial: console: fix use-after-free after failed setup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 299d7572e46f98534033a9e65973f13ad1ce9047 upstream.
+
+Make sure to reset the USB-console port pointer when console setup fails
+in order to avoid having the struct usb_serial be prematurely freed by
+the console code when the device is later disconnected.
+
+Fixes: 73e487fdb75f ("[PATCH] USB console: fix disconnection issues")
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/console.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/console.c
++++ b/drivers/usb/serial/console.c
+@@ -186,6 +186,7 @@ static int usb_console_setup(struct cons
+ tty_kref_put(tty);
+ reset_open_count:
+ port->port.count = 0;
++ info->port = NULL;
+ usb_autopm_put_interface(serial->interface);
+ error_get_interface:
+ usb_serial_put(serial);
--- /dev/null
+From c496ad835c31ad639b6865714270b3003df031f6 Mon Sep 17 00:00:00 2001
+From: Andreas Engel <anen-nospam@gmx.net>
+Date: Mon, 18 Sep 2017 21:11:57 +0200
+Subject: USB: serial: cp210x: add support for ELV TFD500
+
+From: Andreas Engel <anen-nospam@gmx.net>
+
+commit c496ad835c31ad639b6865714270b3003df031f6 upstream.
+
+Add the USB device id for the ELV TFD500 data logger.
+
+Signed-off-by: Andreas Engel <anen-nospam@gmx.net>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -171,6 +171,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
+ { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
++ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
--- /dev/null
+From a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 Mon Sep 17 00:00:00 2001
+From: Jeffrey Chu <jeffrey.chu@cypress.com>
+Date: Fri, 8 Sep 2017 21:08:58 +0000
+Subject: USB: serial: ftdi_sio: add id for Cypress WICED dev board
+
+From: Jeffrey Chu <jeffrey.chu@cypress.com>
+
+commit a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 upstream.
+
+Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB
+device IDs to ftdi_sio driver.
+
+Signed-off-by: Jeffrey Chu <jeffrey.chu@cypress.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 2 ++
+ drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1015,6 +1015,8 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
+ { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -610,6 +610,13 @@
+ #define ADI_GNICEPLUS_PID 0xF001
+
+ /*
++ * Cypress WICED USB UART
++ */
++#define CYPRESS_VID 0x04B4
++#define CYPRESS_WICED_BT_USB_PID 0x009B
++#define CYPRESS_WICED_WL_USB_PID 0xF900
++
++/*
+ * Microchip Technology, Inc.
+ *
+ * MICROCHIP_VID (0x04D8) and MICROCHIP_USB_BOARD_PID (0x000A) are
--- /dev/null
+From 837ddc4793a69b256ac5e781a5e729b448a8d983 Mon Sep 17 00:00:00 2001
+From: Henryk Heisig <hyniu@o2.pl>
+Date: Mon, 11 Sep 2017 17:57:34 +0200
+Subject: USB: serial: option: add support for TP-Link LTE module
+
+From: Henryk Heisig <hyniu@o2.pl>
+
+commit 837ddc4793a69b256ac5e781a5e729b448a8d983 upstream.
+
+This commit adds support for TP-Link LTE mPCIe module is used
+in in TP-Link MR200v1, MR6400v1 and v2 routers.
+
+Signed-off-by: Henryk Heisig <hyniu@o2.pl>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -522,6 +522,7 @@ static void option_instat_callback(struc
+
+ /* TP-LINK Incorporated products */
+ #define TPLINK_VENDOR_ID 0x2357
++#define TPLINK_PRODUCT_LTE 0x000D
+ #define TPLINK_PRODUCT_MA180 0x0201
+
+ /* Changhong products */
+@@ -2011,6 +2012,7 @@ static const struct usb_device_id option
+ { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) },
+ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) },
+ { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) },
++ { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */
+ { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */
--- /dev/null
+From f5d9644c5fca7d8e8972268598bb516a7eae17f9 Mon Sep 17 00:00:00 2001
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+Date: Fri, 29 Sep 2017 12:39:51 +0800
+Subject: USB: serial: qcserial: add Dell DW5818, DW5819
+
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+
+commit f5d9644c5fca7d8e8972268598bb516a7eae17f9 upstream.
+
+Dell Wireless 5819/5818 devices are re-branded Sierra Wireless MC74
+series which will by default boot with vid 0x413c and pid's 0x81cf,
+0x81d0, 0x81d1, 0x81d2.
+
+Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -174,6 +174,10 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
+ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
++ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */
++ {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */
++ {DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */
++ {DEVICE_SWI(0x413c, 0x81d2)}, /* Dell Wireless 5818 */
+
+ /* Huawei devices */
+ {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
projects / thirdparty / kernel / stable-queue.git / commitdiff
