vmw_balloon-fix-inflation-with-batching.patch
ahci-add-intel-ice-lake-lp-pci-id.patch
ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch
+thunderbolt-notify-userspace-when-boot_acl-is-changed.patch
+usb-serial-ch341-fix-type-promotion-bug-in-ch341_control_in.patch
+usb-serial-cp210x-add-another-usb-id-for-qivicon-zigbee-stick.patch
+usb-serial-keyspan_pda-fix-modem-status-error-handling.patch
+usb-yurex-fix-out-of-bounds-uaccess-in-read-handler.patch
+usb-serial-mos7840-fix-status-register-error-handling.patch
+usb-quirks-add-delay-quirks-for-corsair-strafe.patch
+xhci-xhci-mem-off-by-one-in-xhci_stream_id_to_ring.patch
--- /dev/null
+From 007a74907deeceefef9dc3ec4679fbd7921eaa51 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Tue, 26 Jun 2018 14:46:35 +0300
+Subject: thunderbolt: Notify userspace when boot_acl is changed
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 007a74907deeceefef9dc3ec4679fbd7921eaa51 upstream.
+
+The commit 9aaa3b8b4c56 ("thunderbolt: Add support for preboot ACL")
+introduced boot_acl attribute but missed the fact that now userspace
+needs to poll the attribute constantly to find out whether it has
+changed or not. Fix this by sending notification to the userspace
+whenever the boot_acl attribute is changed.
+
+Fixes: 9aaa3b8b4c56 ("thunderbolt: Add support for preboot ACL")
+Reported-and-tested-by: Christian Kellner <christian@kellner.me>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Christian Kellner <christian@kellner.me>
+Acked-by: Yehezkel Bernat <yehezkelshb@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/domain.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/thunderbolt/domain.c
++++ b/drivers/thunderbolt/domain.c
+@@ -213,6 +213,10 @@ static ssize_t boot_acl_store(struct dev
+ goto err_free_acl;
+ }
+ ret = tb->cm_ops->set_boot_acl(tb, acl, tb->nboot_acl);
++ if (!ret) {
++ /* Notify userspace about the change */
++ kobject_uevent(&tb->dev.kobj, KOBJ_CHANGE);
++ }
+ mutex_unlock(&tb->lock);
+
+ err_free_acl:
--- /dev/null
+From bba57eddadda936c94b5dccf73787cb9e159d0a5 Mon Sep 17 00:00:00 2001
+From: Nico Sneck <snecknico@gmail.com>
+Date: Mon, 2 Jul 2018 19:26:07 +0300
+Subject: usb: quirks: add delay quirks for Corsair Strafe
+
+From: Nico Sneck <snecknico@gmail.com>
+
+commit bba57eddadda936c94b5dccf73787cb9e159d0a5 upstream.
+
+Corsair Strafe appears to suffer from the same issues
+as the Corsair Strafe RGB.
+Apply the same quirks (control message delay and init delay)
+that the RGB version has to 1b1c:1b15.
+
+With these quirks in place the keyboard works correctly upon
+booting the system, and no longer requires reattaching the device.
+
+Signed-off-by: Nico Sneck <snecknico@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -378,6 +378,10 @@ static const struct usb_device_id usb_qu
+ /* Corsair K70 RGB */
+ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+
++ /* Corsair Strafe */
++ { USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |
++ USB_QUIRK_DELAY_CTRL_MSG },
++
+ /* Corsair Strafe RGB */
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
--- /dev/null
+From e33eab9ded328ccc14308afa51b5be7cbe78d30b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:29:38 +0300
+Subject: USB: serial: ch341: fix type promotion bug in ch341_control_in()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e33eab9ded328ccc14308afa51b5be7cbe78d30b upstream.
+
+The "r" variable is an int and "bufsize" is an unsigned int so the
+comparison is type promoted to unsigned. If usb_control_msg() returns a
+negative that is treated as a high positive value and the error handling
+doesn't work.
+
+Fixes: 2d5a9c72d0c4 ("USB: serial: ch341: fix control-message error handling")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ch341.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -128,7 +128,7 @@ static int ch341_control_in(struct usb_d
+ r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+ value, index, buf, bufsize, DEFAULT_TIMEOUT);
+- if (r < bufsize) {
++ if (r < (int)bufsize) {
+ if (r >= 0) {
+ dev_err(&dev->dev,
+ "short control message received (%d < %u)\n",
--- /dev/null
+From 367b160fe4717c14a2a978b6f9ffb75a7762d3ed Mon Sep 17 00:00:00 2001
+From: Olli Salonen <olli.salonen@iki.fi>
+Date: Wed, 4 Jul 2018 14:07:42 +0300
+Subject: USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
+
+From: Olli Salonen <olli.salonen@iki.fi>
+
+commit 367b160fe4717c14a2a978b6f9ffb75a7762d3ed upstream.
+
+There are two versions of the Qivicon Zigbee stick in circulation. This
+adds the second USB ID to the cp210x driver.
+
+Signed-off-by: Olli Salonen <olli.salonen@iki.fi>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -149,6 +149,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
+ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+ { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
++ { USB_DEVICE(0x10C4, 0x89FB) }, /* Qivicon ZigBee USB Radio Stick */
+ { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
+ { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
+ { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
--- /dev/null
+From 01b3cdfca263a17554f7b249d20a247b2a751521 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:16 +0200
+Subject: USB: serial: keyspan_pda: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 01b3cdfca263a17554f7b249d20a247b2a751521 upstream.
+
+Fix broken modem-status error handling which could lead to bits of slab
+data leaking to user space.
+
+Fixes: 3b36a8fd6777 ("usb: fix uninitialized variable warning in keyspan_pda")
+Cc: stable <stable@vger.kernel.org> # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -369,8 +369,10 @@ static int keyspan_pda_get_modem_info(st
+ 3, /* get pins */
+ USB_TYPE_VENDOR|USB_RECIP_INTERFACE|USB_DIR_IN,
+ 0, 0, data, 1, 2000);
+- if (rc >= 0)
++ if (rc == 1)
+ *value = *data;
++ else if (rc >= 0)
++ rc = -EIO;
+
+ kfree(data);
+ return rc;
--- /dev/null
+From 794744abfffef8b1f3c0c8a4896177d6d13d653d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:17 +0200
+Subject: USB: serial: mos7840: fix status-register error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 794744abfffef8b1f3c0c8a4896177d6d13d653d upstream.
+
+Add missing transfer-length sanity check to the status-register
+completion handler to avoid leaking bits of uninitialised slab data to
+user space.
+
+Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7840.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -468,6 +468,9 @@ static void mos7840_control_callback(str
+ }
+
+ dev_dbg(dev, "%s urb buffer size is %d\n", __func__, urb->actual_length);
++ if (urb->actual_length < 1)
++ goto out;
++
+ dev_dbg(dev, "%s mos7840_port->MsrLsr is %d port %d\n", __func__,
+ mos7840_port->MsrLsr, mos7840_port->port_num);
+ data = urb->transfer_buffer;
--- /dev/null
+From f1e255d60ae66a9f672ff9a207ee6cd8e33d2679 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 6 Jul 2018 17:12:56 +0200
+Subject: USB: yurex: fix out-of-bounds uaccess in read handler
+
+From: Jann Horn <jannh@google.com>
+
+commit f1e255d60ae66a9f672ff9a207ee6cd8e33d2679 upstream.
+
+In general, accessing userspace memory beyond the length of the supplied
+buffer in VFS read/write handlers can lead to both kernel memory corruption
+(via kernel_read()/kernel_write(), which can e.g. be triggered via
+sys_splice()) and privilege escalation inside userspace.
+
+Fix it by using simple_read_from_buffer() instead of custom logic.
+
+Fixes: 6bc235a2e24a ("USB: add driver for Meywa-Denki & Kayac YUREX")
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/yurex.c | 23 ++++++-----------------
+ 1 file changed, 6 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -396,8 +396,7 @@ static ssize_t yurex_read(struct file *f
+ loff_t *ppos)
+ {
+ struct usb_yurex *dev;
+- int retval = 0;
+- int bytes_read = 0;
++ int len = 0;
+ char in_buffer[20];
+ unsigned long flags;
+
+@@ -405,26 +404,16 @@ static ssize_t yurex_read(struct file *f
+
+ mutex_lock(&dev->io_mutex);
+ if (!dev->interface) { /* already disconnected */
+- retval = -ENODEV;
+- goto exit;
++ mutex_unlock(&dev->io_mutex);
++ return -ENODEV;
+ }
+
+ spin_lock_irqsave(&dev->lock, flags);
+- bytes_read = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
++ len = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
+ spin_unlock_irqrestore(&dev->lock, flags);
+-
+- if (*ppos < bytes_read) {
+- if (copy_to_user(buffer, in_buffer + *ppos, bytes_read - *ppos))
+- retval = -EFAULT;
+- else {
+- retval = bytes_read - *ppos;
+- *ppos += bytes_read;
+- }
+- }
+-
+-exit:
+ mutex_unlock(&dev->io_mutex);
+- return retval;
++
++ return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
+ }
+
+ static ssize_t yurex_write(struct file *file, const char __user *user_buffer,
--- /dev/null
+From 313db3d6488bb03b61b99de9dbca061f1fd838e1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:48:53 +0300
+Subject: xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 313db3d6488bb03b61b99de9dbca061f1fd838e1 upstream.
+
+The > should be >= here so that we don't read one element beyond the end
+of the ep->stream_info->stream_rings[] array.
+
+Fixes: e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -591,7 +591,7 @@ struct xhci_ring *xhci_stream_id_to_ring
+ if (!ep->stream_info)
+ return NULL;
+
+- if (stream_id > ep->stream_info->num_streams)
++ if (stream_id >= ep->stream_info->num_streams)
+ return NULL;
+ return ep->stream_info->stream_rings[stream_id];
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
