--- /dev/null
+From 898805e0cdf7fd860ec21bf661d3a0285a3defbd Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 30 May 2017 16:21:51 +0100
+Subject: net: phy: fix marvell phy status reading
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream.
+
+The Marvell driver incorrectly provides phydev->lp_advertising as the
+logical and of the link partner's advert and our advert. This is
+incorrect - this field is supposed to store the link parter's unmodified
+advertisment.
+
+This allows ethtool to report the correct link partner auto-negotiation
+status.
+
+Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/phy/marvell.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1127,8 +1127,6 @@ static int marvell_read_status_page(stru
+ if (adv < 0)
+ return adv;
+
+- lpa &= adv;
+-
+ if (status & MII_M1011_PHY_STATUS_FULLDUPLEX)
+ phydev->duplex = DUPLEX_FULL;
+ else
--- /dev/null
+From 751a9c763849f5859cb69ea44b0430d00672f637 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 17 May 2017 11:24:47 -0400
+Subject: netfilter: xtables: fix build failure from COMPAT_XT_ALIGN outside CONFIG_COMPAT
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 751a9c763849f5859cb69ea44b0430d00672f637 upstream.
+
+The patch in the Fixes references COMPAT_XT_ALIGN in the definition
+of XT_DATA_TO_USER, outside an #ifdef CONFIG_COMPAT block.
+
+Split XT_DATA_TO_USER into separate compat and non compat variants and
+define the first inside an CONFIG_COMPAT block.
+
+This simplifies both variants by removing branches inside the macro.
+
+Fixes: 324318f0248c ("netfilter: xtables: zero padding in data_to_user")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -296,18 +296,17 @@ int xt_data_to_user(void __user *dst, co
+ }
+ EXPORT_SYMBOL_GPL(xt_data_to_user);
+
+-#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
++#define XT_DATA_TO_USER(U, K, TYPE) \
+ xt_data_to_user(U->data, K->data, \
+ K->u.kernel.TYPE->usersize, \
+- C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \
+- C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \
+- XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
++ K->u.kernel.TYPE->TYPE##size, \
++ XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
+
+ int xt_match_to_user(const struct xt_entry_match *m,
+ struct xt_entry_match __user *u)
+ {
+ return XT_OBJ_TO_USER(u, m, match, 0) ||
+- XT_DATA_TO_USER(u, m, match, 0);
++ XT_DATA_TO_USER(u, m, match);
+ }
+ EXPORT_SYMBOL_GPL(xt_match_to_user);
+
+@@ -315,7 +314,7 @@ int xt_target_to_user(const struct xt_en
+ struct xt_entry_target __user *u)
+ {
+ return XT_OBJ_TO_USER(u, t, target, 0) ||
+- XT_DATA_TO_USER(u, t, target, 0);
++ XT_DATA_TO_USER(u, t, target);
+ }
+ EXPORT_SYMBOL_GPL(xt_target_to_user);
+
+@@ -614,6 +613,12 @@ void xt_compat_match_from_user(struct xt
+ }
+ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
+
++#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
++ xt_data_to_user(U->data, K->data, \
++ K->u.kernel.TYPE->usersize, \
++ C_SIZE, \
++ COMPAT_XT_ALIGN(C_SIZE))
++
+ int xt_compat_match_to_user(const struct xt_entry_match *m,
+ void __user **dstptr, unsigned int *size)
+ {
+@@ -629,7 +634,7 @@ int xt_compat_match_to_user(const struct
+ if (match->compat_to_user((void __user *)cm->data, m->data))
+ return -EFAULT;
+ } else {
+- if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
++ if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
+ return -EFAULT;
+ }
+
+@@ -984,7 +989,7 @@ int xt_compat_target_to_user(const struc
+ if (target->compat_to_user((void __user *)ct->data, t->data))
+ return -EFAULT;
+ } else {
+- if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
++ if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
+ return -EFAULT;
+ }
+
--- /dev/null
+From 324318f0248c31be8a08984146e7e4dd7cdd091d Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 9 May 2017 16:17:37 -0400
+Subject: netfilter: xtables: zero padding in data_to_user
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 324318f0248c31be8a08984146e7e4dd7cdd091d upstream.
+
+When looking up an iptables rule, the iptables binary compares the
+aligned match and target data (XT_ALIGN). In some cases this can
+exceed the actual data size to include padding bytes.
+
+Before commit f77bc5b23fb1 ("iptables: use match, target and data
+copy_to_user helpers") the malloc()ed bytes were overwritten by the
+kernel with kzalloced contents, zeroing the padding and making the
+comparison succeed. After this patch, the kernel copies and clears
+only data, leaving the padding bytes undefined.
+
+Extend the clear operation from data size to aligned data size to
+include the padding bytes, if any.
+
+Padding bytes can be observed in both match and target, and the bug
+triggered, by issuing a rule with match icmp and target ACCEPT:
+
+ iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
+ iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
+
+Fixes: f77bc5b23fb1 ("iptables: use match, target and data copy_to_user helpers")
+Reported-by: Paul Moore <pmoore@redhat.com>
+Reported-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter/x_tables.h | 2 +-
+ net/bridge/netfilter/ebtables.c | 9 ++++++---
+ net/netfilter/x_tables.c | 9 ++++++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/include/linux/netfilter/x_tables.h
++++ b/include/linux/netfilter/x_tables.h
+@@ -294,7 +294,7 @@ int xt_match_to_user(const struct xt_ent
+ int xt_target_to_user(const struct xt_entry_target *t,
+ struct xt_entry_target __user *u);
+ int xt_data_to_user(void __user *dst, const void *src,
+- int usersize, int size);
++ int usersize, int size, int aligned_size);
+
+ void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
+ struct xt_counters_info *info, bool compat);
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1358,7 +1358,8 @@ static inline int ebt_obj_to_user(char _
+ strlcpy(name, _name, sizeof(name));
+ if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) ||
+ put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) ||
+- xt_data_to_user(um + entrysize, data, usersize, datasize))
++ xt_data_to_user(um + entrysize, data, usersize, datasize,
++ XT_ALIGN(datasize)))
+ return -EFAULT;
+
+ return 0;
+@@ -1643,7 +1644,8 @@ static int compat_match_to_user(struct e
+ if (match->compat_to_user(cm->data, m->data))
+ return -EFAULT;
+ } else {
+- if (xt_data_to_user(cm->data, m->data, match->usersize, msize))
++ if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
++ COMPAT_XT_ALIGN(msize)))
+ return -EFAULT;
+ }
+
+@@ -1672,7 +1674,8 @@ static int compat_target_to_user(struct
+ if (target->compat_to_user(cm->data, t->data))
+ return -EFAULT;
+ } else {
+- if (xt_data_to_user(cm->data, t->data, target->usersize, tsize))
++ if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
++ COMPAT_XT_ALIGN(tsize)))
+ return -EFAULT;
+ }
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -283,12 +283,13 @@ static int xt_obj_to_user(u16 __user *ps
+ &U->u.user.revision, K->u.kernel.TYPE->revision)
+
+ int xt_data_to_user(void __user *dst, const void *src,
+- int usersize, int size)
++ int usersize, int size, int aligned_size)
+ {
+ usersize = usersize ? : size;
+ if (copy_to_user(dst, src, usersize))
+ return -EFAULT;
+- if (usersize != size && clear_user(dst + usersize, size - usersize))
++ if (usersize != aligned_size &&
++ clear_user(dst + usersize, aligned_size - usersize))
+ return -EFAULT;
+
+ return 0;
+@@ -298,7 +299,9 @@ EXPORT_SYMBOL_GPL(xt_data_to_user);
+ #define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
+ xt_data_to_user(U->data, K->data, \
+ K->u.kernel.TYPE->usersize, \
+- C_SIZE ? : K->u.kernel.TYPE->TYPE##size)
++ C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \
++ C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \
++ XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
+
+ int xt_match_to_user(const struct xt_entry_match *m,
+ struct xt_entry_match __user *u)
acpi-scan-fix-enumeration-for-special-spi-and-i2c-devices.patch
rxrpc-fix-several-cases-where-a-padded-len-isn-t-checked-in-ticket-decode.patch
drm-fix-getconnector-regression.patch
+usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch
+spi-double-time-out-tolerance.patch
+net-phy-fix-marvell-phy-status-reading.patch
+netfilter-xtables-zero-padding-in-data_to_user.patch
+netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch
--- /dev/null
+From 833bfade96561216aa2129516a5926a0326860a2 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 17 Apr 2017 01:38:05 +0200
+Subject: spi: double time out tolerance
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 833bfade96561216aa2129516a5926a0326860a2 upstream.
+
+The generic SPI code calculates how long the issued transfer would take
+and adds 100ms in addition to the timeout as tolerance. On my 500 MHz
+Lantiq Mips SoC I am getting timeouts from the SPI like this when the
+system boots up:
+
+m25p80 spi32766.4: SPI transfer timed out
+blk_update_request: I/O error, dev mtdblock3, sector 2
+SQUASHFS error: squashfs_read_data failed to read block 0x6e
+
+After increasing the tolerance for the timeout to 200ms I haven't seen
+these SPI transfer time outs any more.
+The Lantiq SPI driver in use here has an extra work queue in between,
+which gets triggered when the controller send the last word and the
+hardware FIFOs used for reading and writing are only 8 words long.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1015,7 +1015,7 @@ static int spi_transfer_one_message(stru
+ ret = 0;
+ ms = 8LL * 1000LL * xfer->len;
+ do_div(ms, xfer->speed_hz);
+- ms += ms + 100; /* some tolerance */
++ ms += ms + 200; /* some tolerance */
+
+ if (ms > UINT_MAX)
+ ms = UINT_MAX;
--- /dev/null
+From b7f73850bb4fac1e2209a4dd5e636d39be92f42c Mon Sep 17 00:00:00 2001
+From: William Wu <william.wu@rock-chips.com>
+Date: Tue, 25 Apr 2017 17:45:48 +0800
+Subject: usb: gadget: f_fs: avoid out of bounds access on comp_desc
+
+From: William Wu <william.wu@rock-chips.com>
+
+commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream.
+
+Companion descriptor is only used for SuperSpeed endpoints,
+if the endpoints are HighSpeed or FullSpeed, the Companion
+descriptor will not allocated, so we can only access it if
+gadget is SuperSpeed.
+
+I can reproduce this issue on Rockchip platform rk3368 SoC
+which supports USB 2.0, and use functionfs for ADB. Kernel
+build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
+the following BUG:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
+Read of size 1 by task swapper/0/0
+============================================================================
+BUG kmalloc-256 (Not tainted): kasan: bad access detected
+----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
+alloc_debug_processing+0x128/0x17c
+___slab_alloc.constprop.58+0x50c/0x610
+__slab_alloc.isra.55.constprop.57+0x24/0x34
+__kmalloc+0xe0/0x250
+ffs_func_bind+0x52c/0x99c
+usb_add_function+0xd8/0x1d4
+configfs_composite_bind+0x48c/0x570
+udc_bind_to_driver+0x6c/0x170
+usb_udc_attach_driver+0xa4/0xd0
+gadget_dev_desc_UDC_store+0xcc/0x118
+configfs_write_file+0x1a0/0x1f8
+__vfs_write+0x64/0x174
+vfs_write+0xe4/0x200
+SyS_write+0x68/0xc8
+el0_svc_naked+0x24/0x28
+INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
+...
+Call trace:
+[<ffffff900808aab4>] dump_backtrace+0x0/0x230
+[<ffffff900808acf8>] show_stack+0x14/0x1c
+[<ffffff90084ad420>] dump_stack+0xa0/0xc8
+[<ffffff90082157cc>] print_trailer+0x188/0x198
+[<ffffff9008215948>] object_err+0x3c/0x4c
+[<ffffff900821b5ac>] kasan_report+0x324/0x4dc
+[<ffffff900821aa38>] __asan_load1+0x24/0x50
+[<ffffff90089eb750>] ffs_func_set_alt+0x224/0x3a0
+[<ffffff90089d3760>] composite_setup+0xdcc/0x1ac8
+[<ffffff90089d7394>] android_setup+0x124/0x1a0
+[<ffffff90089acd18>] _setup+0x54/0x74
+[<ffffff90089b6b98>] handle_ep0+0x3288/0x4390
+[<ffffff90089b9b44>] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
+[<ffffff90089be85c>] dwc_otg_pcd_handle_intr+0x1ec/0x298
+[<ffffff90089ad680>] dwc_otg_pcd_irq+0x10/0x20
+[<ffffff9008116328>] handle_irq_event_percpu+0x124/0x3ac
+[<ffffff9008116610>] handle_irq_event+0x60/0xa0
+[<ffffff900811af30>] handle_fasteoi_irq+0x10c/0x1d4
+[<ffffff9008115568>] generic_handle_irq+0x30/0x40
+[<ffffff90081159b4>] __handle_domain_irq+0xac/0xdc
+[<ffffff9008080e9c>] gic_handle_irq+0x64/0xa4
+...
+Memory state around the buggy address:
+ ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
+ >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: William Wu <william.wu@rock-chips.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Jerry Zhang <zhangjerry@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1859,12 +1859,12 @@ static int ffs_func_eps_enable(struct ff
+ ep->ep->driver_data = ep;
+ ep->ep->desc = ds;
+
+- comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
+- USB_DT_ENDPOINT_SIZE);
+- ep->ep->maxburst = comp_desc->bMaxBurst + 1;
+-
+- if (needs_comp_desc)
++ if (needs_comp_desc) {
++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
++ USB_DT_ENDPOINT_SIZE);
++ ep->ep->maxburst = comp_desc->bMaxBurst + 1;
+ ep->ep->comp_desc = comp_desc;
++ }
+
+ ret = usb_ep_enable(ep->ep);
+ if (likely(!ret)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
