--- /dev/null
+From e46a3b3ba7509cb7fda0e07bc7c63a2cd90f579b Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Wed, 7 Feb 2018 12:38:47 -0800
+Subject: ANDROID: binder: remove WARN() for redundant txn error
+
+From: Todd Kjos <tkjos@android.com>
+
+commit e46a3b3ba7509cb7fda0e07bc7c63a2cd90f579b upstream.
+
+binder_send_failed_reply() is called when a synchronous
+transaction fails. It reports an error to the thread that
+is waiting for the completion. Given that the transaction
+is synchronous, there should never be more than 1 error
+response to that thread -- this was being asserted with
+a WARN().
+
+However, when exercising the driver with syzbot tests, cases
+were observed where multiple "synchronous" requests were
+sent without waiting for responses, so it is possible that
+multiple errors would be reported to the thread. This testing
+was conducted with panic_on_warn set which forced the crash.
+
+This is easily reproduced by sending back-to-back
+"synchronous" transactions without checking for any
+response (eg, set read_size to 0):
+
+ bwr.write_buffer = (uintptr_t)&bc1;
+ bwr.write_size = sizeof(bc1);
+ bwr.read_buffer = (uintptr_t)&br;
+ bwr.read_size = 0;
+ ioctl(fd, BINDER_WRITE_READ, &bwr);
+ sleep(1);
+ bwr2.write_buffer = (uintptr_t)&bc2;
+ bwr2.write_size = sizeof(bc2);
+ bwr2.read_buffer = (uintptr_t)&br;
+ bwr2.read_size = 0;
+ ioctl(fd, BINDER_WRITE_READ, &bwr2);
+ sleep(1);
+
+The first transaction is sent to the servicemanager and the reply
+fails because no VMA is set up by this client. After
+binder_send_failed_reply() is called, the BINDER_WORK_RETURN_ERROR
+is sitting on the thread's todo list since the read_size was 0 and
+the client is not waiting for a response.
+
+The 2nd transaction is sent and the BINDER_WORK_RETURN_ERROR has not
+been consumed, so the thread's reply_error.cmd is still set (normally
+cleared when the BINDER_WORK_RETURN_ERROR is handled). Therefore
+when the servicemanager attempts to reply to the 2nd failed
+transaction, the error is already set and it triggers this warning.
+
+This is a user error since it is not waiting for the synchronous
+transaction to complete. If it ever does check, it will see an
+error.
+
+Changed the WARN() to a pr_warn().
+
+Signed-off-by: Todd Kjos <tkjos@android.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1933,8 +1933,14 @@ static void binder_send_failed_reply(str
+ &target_thread->todo);
+ wake_up_interruptible(&target_thread->wait);
+ } else {
+- WARN(1, "Unexpected reply error: %u\n",
+- target_thread->reply_error.cmd);
++ /*
++ * Cannot get here for normal operation, but
++ * we can if multiple synchronous transactions
++ * are sent without blocking for responses.
++ * Just ignore the 2nd error in this case.
++ */
++ pr_warn("Unexpected reply error: %u\n",
++ target_thread->reply_error.cmd);
+ }
+ binder_inner_proc_unlock(target_thread->proc);
+ binder_thread_dec_tmpref(target_thread);
--- /dev/null
+From 5eeb2ca02a2f6084fc57ae5c244a38baab07033a Mon Sep 17 00:00:00 2001
+From: Martijn Coenen <maco@android.com>
+Date: Fri, 16 Feb 2018 09:47:15 +0100
+Subject: ANDROID: binder: synchronize_rcu() when using POLLFREE.
+
+From: Martijn Coenen <maco@android.com>
+
+commit 5eeb2ca02a2f6084fc57ae5c244a38baab07033a upstream.
+
+To prevent races with ep_remove_waitqueue() removing the
+waitqueue at the same time.
+
+Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com
+Signed-off-by: Martijn Coenen <maco@android.com>
+Cc: stable <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4322,6 +4322,15 @@ static int binder_thread_release(struct
+
+ binder_inner_proc_unlock(thread->proc);
+
++ /*
++ * This is needed to avoid races between wake_up_poll() above and
++ * and ep_remove_waitqueue() called for other reasons (eg the epoll file
++ * descriptor being closed); ep_remove_waitqueue() holds an RCU read
++ * lock, so we can be sure it's done after calling synchronize_rcu().
++ */
++ if (thread->looper & BINDER_LOOPER_STATE_POLL)
++ synchronize_rcu();
++
+ if (send_reply)
+ binder_send_failed_reply(send_reply, BR_DEAD_REPLY);
+ binder_release_work(proc, &thread->todo);
--- /dev/null
+From f88982679f54f75daa5b8eff3da72508f1e7422f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 30 Jan 2018 23:11:24 -0800
+Subject: binder: check for binder_thread allocation failure in binder_poll()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.
+
+If the kzalloc() in binder_get_thread() fails, binder_poll()
+dereferences the resulting NULL pointer.
+
+Fix it by returning POLLERR if the memory allocation failed.
+
+This bug was found by syzkaller using fault injection.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4346,6 +4346,8 @@ static unsigned int binder_poll(struct f
+ bool wait_for_proc_work;
+
+ thread = binder_get_thread(proc);
++ if (!thread)
++ return POLLERR;
+
+ binder_inner_proc_lock(thread->proc);
+ thread->looper |= BINDER_LOOPER_STATE_POLL;
--- /dev/null
+From 8ca86f1639ec5890d400fff9211aca22d0a392eb Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Wed, 7 Feb 2018 13:57:37 -0800
+Subject: binder: replace "%p" with "%pK"
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 8ca86f1639ec5890d400fff9211aca22d0a392eb upstream.
+
+The format specifier "%p" can leak kernel addresses. Use
+"%pK" instead. There were 4 remaining cases in binder.c.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2141,7 +2141,7 @@ static void binder_transaction_buffer_re
+ int debug_id = buffer->debug_id;
+
+ binder_debug(BINDER_DEBUG_TRANSACTION,
+- "%d buffer release %d, size %zd-%zd, failed at %p\n",
++ "%d buffer release %d, size %zd-%zd, failed at %pK\n",
+ proc->pid, buffer->debug_id,
+ buffer->data_size, buffer->offsets_size, failed_at);
+
+@@ -3653,7 +3653,7 @@ static int binder_thread_write(struct bi
+ }
+ }
+ binder_debug(BINDER_DEBUG_DEAD_BINDER,
+- "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n",
++ "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
+ proc->pid, thread->pid, (u64)cookie,
+ death);
+ if (death == NULL) {
+@@ -4991,7 +4991,7 @@ static void print_binder_transaction_ilo
+ spin_lock(&t->lock);
+ to_proc = t->to_proc;
+ seq_printf(m,
+- "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
++ "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d",
+ prefix, t->debug_id, t,
+ t->from ? t->from->proc->pid : 0,
+ t->from ? t->from->pid : 0,
+@@ -5015,7 +5015,7 @@ static void print_binder_transaction_ilo
+ }
+ if (buffer->target_node)
+ seq_printf(m, " node %d", buffer->target_node->debug_id);
+- seq_printf(m, " size %zd:%zd data %p\n",
++ seq_printf(m, " size %zd:%zd data %pK\n",
+ buffer->data_size, buffer->offsets_size,
+ buffer->data);
+ }
arm-8743-1-bl_switcher-add-module_license-tag.patch
arm64-dts-add-cooling-cells-to-cpu-nodes.patch
dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch
+android-binder-remove-warn-for-redundant-txn-error.patch
+android-binder-synchronize_rcu-when-using-pollfree.patch
+staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch
+binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch
+binder-replace-p-with-pk.patch
+staging-fsl-mc-fix-build-testing-on-x86.patch
+staging-iio-adc-ad7192-fix-external-frequency-setting.patch
+staging-iio-ad5933-switch-buffer-mode-to-software.patch
+xhci-fix-null-pointer-in-xhci-debugfs.patch
+xhci-fix-xhci-debugfs-devices-node-disappearance-after-hibernation.patch
+xhci-xhci-debugfs-device-nodes-weren-t-removed-after-device-plugged-out.patch
+xhci-fix-xhci-debugfs-errors-in-xhci_stop.patch
+usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch
--- /dev/null
+From ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 4 Feb 2018 02:06:27 +0000
+Subject: staging: android: ashmem: Fix a race condition in pin ioctls
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream.
+
+ashmem_pin_unpin() reads asma->file and asma->size before taking the
+ashmem_mutex, so it can race with other operations that modify them.
+
+Build-tested only.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -710,30 +710,32 @@ static int ashmem_pin_unpin(struct ashme
+ size_t pgstart, pgend;
+ int ret = -EINVAL;
+
++ mutex_lock(&ashmem_mutex);
++
+ if (unlikely(!asma->file))
+- return -EINVAL;
++ goto out_unlock;
+
+- if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
+- return -EFAULT;
++ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
++ ret = -EFAULT;
++ goto out_unlock;
++ }
+
+ /* per custom, you can pass zero for len to mean "everything onward" */
+ if (!pin.len)
+ pin.len = PAGE_ALIGN(asma->size) - pin.offset;
+
+ if (unlikely((pin.offset | pin.len) & ~PAGE_MASK))
+- return -EINVAL;
++ goto out_unlock;
+
+ if (unlikely(((__u32)-1) - pin.offset < pin.len))
+- return -EINVAL;
++ goto out_unlock;
+
+ if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len))
+- return -EINVAL;
++ goto out_unlock;
+
+ pgstart = pin.offset / PAGE_SIZE;
+ pgend = pgstart + (pin.len / PAGE_SIZE) - 1;
+
+- mutex_lock(&ashmem_mutex);
+-
+ switch (cmd) {
+ case ASHMEM_PIN:
+ ret = ashmem_pin(asma, pgstart, pgend);
+@@ -746,6 +748,7 @@ static int ashmem_pin_unpin(struct ashme
+ break;
+ }
+
++out_unlock:
+ mutex_unlock(&ashmem_mutex);
+
+ return ret;
--- /dev/null
+From 02b7b2844c2ffd3b614ec2b9293e8c7f041d60da Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 16 Feb 2018 16:36:04 +0100
+Subject: staging: fsl-mc: fix build testing on x86
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 02b7b2844c2ffd3b614ec2b9293e8c7f041d60da upstream.
+
+Selecting GENERIC_MSI_IRQ_DOMAIN on x86 causes a compile-time error in
+some configurations:
+
+drivers/base/platform-msi.c:37:19: error: field 'arg' has incomplete type
+
+On the other architectures, we are fine, but here we should have an additional
+dependency on X86_LOCAL_APIC so we can get the PCI_MSI_IRQ_DOMAIN symbol.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/fsl-mc/bus/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/fsl-mc/bus/Kconfig
++++ b/drivers/staging/fsl-mc/bus/Kconfig
+@@ -8,7 +8,7 @@
+
+ config FSL_MC_BUS
+ bool "QorIQ DPAA2 fsl-mc bus driver"
+- depends on OF && (ARCH_LAYERSCAPE || (COMPILE_TEST && (ARM || ARM64 || X86 || PPC)))
++ depends on OF && (ARCH_LAYERSCAPE || (COMPILE_TEST && (ARM || ARM64 || X86_LOCAL_APIC || PPC)))
+ select GENERIC_MSI_IRQ_DOMAIN
+ help
+ Driver to enable the bus infrastructure for the QorIQ DPAA2
--- /dev/null
+From 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Thu, 25 Jan 2018 14:30:45 +0200
+Subject: staging: iio: ad5933: switch buffer mode to software
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 upstream.
+
+Since commit 152a6a884ae1 ("staging:iio:accel:sca3000 move
+to hybrid hard / soft buffer design.")
+the buffer mechanism has changed and the
+INDIO_BUFFER_HARDWARE flag has been unused.
+
+Since commit 2d6ca60f3284 ("iio: Add a DMAengine framework
+based buffer")
+the INDIO_BUFFER_HARDWARE flag has been re-purposed for
+DMA buffers.
+
+This driver has lagged behind these changes, and
+in order for buffers to work, the INDIO_BUFFER_SOFTWARE
+needs to be used.
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/impedance-analyzer/ad5933.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
+@@ -648,8 +648,6 @@ static int ad5933_register_ring_funcs_an
+ /* Ring buffer functions - here trigger setup related */
+ indio_dev->setup_ops = &ad5933_ring_setup_ops;
+
+- indio_dev->modes |= INDIO_BUFFER_HARDWARE;
+-
+ return 0;
+ }
+
+@@ -762,7 +760,7 @@ static int ad5933_probe(struct i2c_clien
+ indio_dev->dev.parent = &client->dev;
+ indio_dev->info = &ad5933_info;
+ indio_dev->name = id->name;
+- indio_dev->modes = INDIO_DIRECT_MODE;
++ indio_dev->modes = (INDIO_BUFFER_SOFTWARE | INDIO_DIRECT_MODE);
+ indio_dev->channels = ad5933_channels;
+ indio_dev->num_channels = ARRAY_SIZE(ad5933_channels);
+
--- /dev/null
+From e31b617d0a63c6558485aaa730fd162faa95a766 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Mon, 22 Jan 2018 11:53:12 +0200
+Subject: staging: iio: adc: ad7192: fix external frequency setting
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream.
+
+The external clock frequency was set only when selecting
+the internal clock, which is fixed at 4.9152 Mhz.
+
+This is incorrect, since it should be set when any of
+the external clock or crystal settings is selected.
+
+Added range validation for the external (crystal/clock)
+frequency setting.
+Valid values are between 2.4576 and 5.12 Mhz.
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/iio/adc/ad7192.c
++++ b/drivers/staging/iio/adc/ad7192.c
+@@ -141,6 +141,8 @@
+ #define AD7192_GPOCON_P1DAT BIT(1) /* P1 state */
+ #define AD7192_GPOCON_P0DAT BIT(0) /* P0 state */
+
++#define AD7192_EXT_FREQ_MHZ_MIN 2457600
++#define AD7192_EXT_FREQ_MHZ_MAX 5120000
+ #define AD7192_INT_FREQ_MHZ 4915200
+
+ /* NOTE:
+@@ -218,6 +220,12 @@ static int ad7192_calibrate_all(struct a
+ ARRAY_SIZE(ad7192_calib_arr));
+ }
+
++static inline bool ad7192_valid_external_frequency(u32 freq)
++{
++ return (freq >= AD7192_EXT_FREQ_MHZ_MIN &&
++ freq <= AD7192_EXT_FREQ_MHZ_MAX);
++}
++
+ static int ad7192_setup(struct ad7192_state *st,
+ const struct ad7192_platform_data *pdata)
+ {
+@@ -243,17 +251,20 @@ static int ad7192_setup(struct ad7192_st
+ id);
+
+ switch (pdata->clock_source_sel) {
+- case AD7192_CLK_EXT_MCLK1_2:
+- case AD7192_CLK_EXT_MCLK2:
+- st->mclk = AD7192_INT_FREQ_MHZ;
+- break;
+ case AD7192_CLK_INT:
+ case AD7192_CLK_INT_CO:
+- if (pdata->ext_clk_hz)
+- st->mclk = pdata->ext_clk_hz;
+- else
+- st->mclk = AD7192_INT_FREQ_MHZ;
++ st->mclk = AD7192_INT_FREQ_MHZ;
+ break;
++ case AD7192_CLK_EXT_MCLK1_2:
++ case AD7192_CLK_EXT_MCLK2:
++ if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) {
++ st->mclk = pdata->ext_clk_hz;
++ break;
++ }
++ dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n",
++ pdata->ext_clk_hz);
++ ret = -EINVAL;
++ goto out;
+ default:
+ ret = -EINVAL;
+ goto out;
--- /dev/null
+From 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 26 Jan 2018 11:56:50 -0700
+Subject: usbip: keep usbip_device sockfd state in sync with tcp_socket
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream.
+
+Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket
+is reset to null, reset sockfd to -1 to keep it in sync.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/stub_dev.c | 3 +++
+ drivers/usb/usbip/vhci_hcd.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -73,6 +73,7 @@ static ssize_t store_sockfd(struct devic
+ goto err;
+
+ sdev->ud.tcp_socket = socket;
++ sdev->ud.sockfd = sockfd;
+
+ spin_unlock_irq(&sdev->ud.lock);
+
+@@ -172,6 +173,7 @@ static void stub_shutdown_connection(str
+ if (ud->tcp_socket) {
+ sockfd_put(ud->tcp_socket);
+ ud->tcp_socket = NULL;
++ ud->sockfd = -1;
+ }
+
+ /* 3. free used data */
+@@ -266,6 +268,7 @@ static struct stub_device *stub_device_a
+ sdev->ud.status = SDEV_ST_AVAILABLE;
+ spin_lock_init(&sdev->ud.lock);
+ sdev->ud.tcp_socket = NULL;
++ sdev->ud.sockfd = -1;
+
+ INIT_LIST_HEAD(&sdev->priv_init);
+ INIT_LIST_HEAD(&sdev->priv_tx);
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -984,6 +984,7 @@ static void vhci_shutdown_connection(str
+ if (vdev->ud.tcp_socket) {
+ sockfd_put(vdev->ud.tcp_socket);
+ vdev->ud.tcp_socket = NULL;
++ vdev->ud.sockfd = -1;
+ }
+ pr_info("release socket\n");
+
+@@ -1030,6 +1031,7 @@ static void vhci_device_reset(struct usb
+ if (ud->tcp_socket) {
+ sockfd_put(ud->tcp_socket);
+ ud->tcp_socket = NULL;
++ ud->sockfd = -1;
+ }
+ ud->status = VDEV_ST_NULL;
+
--- /dev/null
+From fa2dfd0ec22e0069c84dfae162972cbbc7c75488 Mon Sep 17 00:00:00 2001
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:24:48 +0200
+Subject: xhci: Fix NULL pointer in xhci debugfs
+
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+
+commit fa2dfd0ec22e0069c84dfae162972cbbc7c75488 upstream.
+
+Commit dde634057da7 ("xhci: Fix use-after-free in xhci debugfs") causes a
+null pointer dereference while fixing xhci-debugfs usage of ring pointers
+that were freed during hibernate.
+
+The fix passed addresses to ring pointers instead, but forgot to do this
+change for the xhci_ring_trb_show function.
+
+The address of the ring pointer passed to xhci-debugfs was of a temporary
+ring pointer "new_ring" instead of the actual ring "ring" pointer. The
+temporary new_ring pointer will be set to NULL later causing the NULL
+pointer dereference.
+
+This issue was seen when reading xhci related files in debugfs:
+
+cat /sys/kernel/debug/usb/xhci/*/devices/*/ep*/trbs
+
+[ 184.604861] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 184.613776] IP: xhci_ring_trb_show+0x3a/0x890
+[ 184.618733] PGD 264193067 P4D 264193067 PUD 263238067 PMD 0
+[ 184.625184] Oops: 0000 [#1] SMP
+[ 184.726410] RIP: 0010:xhci_ring_trb_show+0x3a/0x890
+[ 184.731944] RSP: 0018:ffffba8243c0fd90 EFLAGS: 00010246
+[ 184.737880] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000000295d6
+[ 184.746020] RDX: 00000000000295d5 RSI: 0000000000000001 RDI: ffff971a6418d400
+[ 184.754121] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+[ 184.762222] R10: ffff971a64c98a80 R11: ffff971a62a00e40 R12: ffff971a62a85500
+[ 184.770325] R13: 0000000000020000 R14: ffff971a6418d400 R15: ffff971a6418d400
+[ 184.778448] FS: 00007fe725a79700(0000) GS:ffff971a6ec00000(0000) knlGS:0000000000000000
+[ 184.787644] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 184.794168] CR2: 0000000000000000 CR3: 000000025f365005 CR4: 00000000003606f0
+[ 184.802318] Call Trace:
+[ 184.805094] ? seq_read+0x281/0x3b0
+[ 184.809068] seq_read+0xeb/0x3b0
+[ 184.812735] full_proxy_read+0x4d/0x70
+[ 184.817007] __vfs_read+0x23/0x120
+[ 184.820870] vfs_read+0x91/0x130
+[ 184.824538] SyS_read+0x42/0x90
+[ 184.828106] entry_SYSCALL_64_fastpath+0x1a/0x7d
+
+Fixes: dde634057da7 ("xhci: Fix use-after-free in xhci debugfs")
+Cc: <stable@vger.kernel.org> # v4.15
+Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-debugfs.c
++++ b/drivers/usb/host/xhci-debugfs.c
+@@ -211,7 +211,7 @@ static void xhci_ring_dump_segment(struc
+ static int xhci_ring_trb_show(struct seq_file *s, void *unused)
+ {
+ int i;
+- struct xhci_ring *ring = s->private;
++ struct xhci_ring *ring = *(struct xhci_ring **)s->private;
+ struct xhci_segment *seg = ring->first_seg;
+
+ for (i = 0; i < ring->num_segs; i++) {
+@@ -387,7 +387,7 @@ void xhci_debugfs_create_endpoint(struct
+
+ snprintf(epriv->name, sizeof(epriv->name), "ep%02d", ep_index);
+ epriv->root = xhci_debugfs_create_ring_dir(xhci,
+- &dev->eps[ep_index].new_ring,
++ &dev->eps[ep_index].ring,
+ epriv->name,
+ spriv->root);
+ spriv->eps[ep_index] = epriv;
--- /dev/null
+From d91676717261578f429d3577dbe9154b26e8abf7 Mon Sep 17 00:00:00 2001
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:24:49 +0200
+Subject: xhci: Fix xhci debugfs devices node disappearance after hibernation
+
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+
+commit d91676717261578f429d3577dbe9154b26e8abf7 upstream.
+
+During system resume from hibernation, xhci host is reset, all the
+nodes in devices folder are removed in xhci_mem_cleanup function.
+Later nodes in /sys/kernel/debug/usb/xhci/* are created again in
+function xhci_run, but the nodes already exist, so the nodes still
+keep the old ones, finally device nodes in xhci debugfs folder
+/sys/kernel/debug/usb/xhci/*/devices/* are disappeared.
+
+This fix removed xhci debugfs nodes before the nodes are re-created,
+so all the nodes in xhci debugfs can be re-created successfully.
+
+Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
+Cc: <stable@vger.kernel.org> # v4.15
+Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1018,6 +1018,7 @@ int xhci_resume(struct xhci_hcd *xhci, b
+
+ xhci_dbg(xhci, "cleaning up memory\n");
+ xhci_mem_cleanup(xhci);
++ xhci_debugfs_exit(xhci);
+ xhci_dbg(xhci, "xhci_stop completed - status = %x\n",
+ readl(&xhci->op_regs->status));
+
--- /dev/null
+From 11cd764dc9a030991880ad4d51db93918afa5822 Mon Sep 17 00:00:00 2001
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:24:51 +0200
+Subject: xhci: fix xhci debugfs errors in xhci_stop
+
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+
+commit 11cd764dc9a030991880ad4d51db93918afa5822 upstream.
+
+In function xhci_stop, xhci_debugfs_exit called before xhci_mem_cleanup.
+xhci_debugfs_exit removed the xhci debugfs root nodes, xhci_mem_cleanup
+called function xhci_free_virt_devices_depth_first which in turn called
+function xhci_debugfs_remove_slot.
+Function xhci_debugfs_remove_slot removed the nodes for devices, the nodes
+folders are sub folder of xhci debugfs.
+
+It is unreasonable to remove xhci debugfs root folder before
+xhci debugfs sub folder. Function xhci_mem_cleanup should be called
+before function xhci_debugfs_exit.
+
+Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
+Cc: <stable@vger.kernel.org> # v4.15
+Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -652,8 +652,6 @@ static void xhci_stop(struct usb_hcd *hc
+ return;
+ }
+
+- xhci_debugfs_exit(xhci);
+-
+ spin_lock_irq(&xhci->lock);
+ xhci->xhc_state |= XHCI_STATE_HALTED;
+ xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
+@@ -685,6 +683,7 @@ static void xhci_stop(struct usb_hcd *hc
+
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init, "cleaning up memory");
+ xhci_mem_cleanup(xhci);
++ xhci_debugfs_exit(xhci);
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+ "xhci_stop completed - status = %x",
+ readl(&xhci->op_regs->status));
--- /dev/null
+From 8c5a93ebf7ac56d47f879b3c7c2f8c83b40c2cdb Mon Sep 17 00:00:00 2001
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:24:50 +0200
+Subject: xhci: xhci debugfs device nodes weren't removed after device plugged out
+
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+
+commit 8c5a93ebf7ac56d47f879b3c7c2f8c83b40c2cdb upstream.
+
+There is a bug after plugged out USB device, the device and its ep00
+nodes are still kept, we need to remove the nodes in xhci_free_dev when
+USB device is plugged out.
+
+Fixes: 052f71e25a7e ("xhci: Fix xhci debugfs NULL pointer dereference in resume from hibernate")
+Cc: <stable@vger.kernel.org> # v4.15
+Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3552,12 +3552,10 @@ static void xhci_free_dev(struct usb_hcd
+ virt_dev->eps[i].ep_state &= ~EP_STOP_CMD_PENDING;
+ del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);
+ }
+-
++ xhci_debugfs_remove_slot(xhci, udev->slot_id);
+ ret = xhci_disable_slot(xhci, udev->slot_id);
+- if (ret) {
+- xhci_debugfs_remove_slot(xhci, udev->slot_id);
++ if (ret)
+ xhci_free_virt_device(xhci, udev->slot_id);
+- }
+ }
+
+ int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
projects / thirdparty / kernel / stable-queue.git / commitdiff
