--- /dev/null
+From gregkh@linuxfoundation.org Fri Mar 16 14:27:34 2018
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 13 Mar 2018 10:56:00 +0100
+Subject: fixup: sctp: verify size of a new chunk in _sctp_make_chunk()
+To: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Alexey Kodanev <alexey.kodanev@oracle.com>, Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, "David S. Miller" <davem@davemloft.net>
+Message-ID: <20180313095600.GA5131@kroah.com>
+Content-Disposition: inline
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Ben writes:
+> > + int chunklen;
+> > +
+> > + chunklen = sizeof(*chunk_hdr) + paylen;
+>
+> I think this length still needs to be rounded up (with WORD_ROUND here,
+> instead of SCTP_PAD4 upstream).
+
+So here's a fix for this problem.
+
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/sm_make_chunk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -1369,7 +1369,7 @@ static struct sctp_chunk *_sctp_make_chu
+ struct sock *sk;
+ int chunklen;
+
+- chunklen = sizeof(*chunk_hdr) + paylen;
++ chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
+ goto nodata;
+
--- /dev/null
+From 9f2068f35729948bde84d87a40d135015911345d Mon Sep 17 00:00:00 2001
+From: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Date: Tue, 13 Feb 2018 15:04:46 +0100
+Subject: serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
+
+From: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+
+commit 9f2068f35729948bde84d87a40d135015911345d upstream.
+
+Add PCI ids for two variants of Brainboxes UC-260 quad port
+PCI serial cards.
+
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -5300,6 +5300,17 @@ static struct pci_device_id serial_pci_t
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */
+ pbn_b2_4_115200 },
+ /*
++ * BrainBoxes UC-260
++ */
++ { PCI_VENDOR_ID_INTASHIELD, 0x0D21,
++ PCI_ANY_ID, PCI_ANY_ID,
++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
++ pbn_b2_4_115200 },
++ { PCI_VENDOR_ID_INTASHIELD, 0x0E34,
++ PCI_ANY_ID, PCI_ANY_ID,
++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
++ pbn_b2_4_115200 },
++ /*
+ * Perle PCI-RAS cards
+ */
+ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030,
--- /dev/null
+From 7842055bfce4bf0170d0f61df8b2add8399697be Mon Sep 17 00:00:00 2001
+From: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+Date: Thu, 15 Feb 2018 13:02:27 +0100
+Subject: serial: sh-sci: prevent lockup on full TTY buffers
+
+From: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+
+commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream.
+
+When the TTY buffers fill up to the configured maximum, a system lockup
+occurs:
+
+[ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks:
+[ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1
+[ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126)
+[ 598.838755] Task dump for CPU 0:
+[ 598.841977] swapper/0 R running task 0 0 0 0x00000022
+[ 598.849023] Call trace:
+[ 598.851476] __switch_to+0x98/0xb0
+[ 598.854870] (null)
+
+This can be prevented by doing a dummy read of the RX data register.
+
+This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0;
+reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms
+as well.
+
+Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -847,6 +847,8 @@ static void sci_receive_chars(struct uar
+ /* Tell the rest of the system the news. New characters! */
+ tty_flip_buffer_push(tport);
+ } else {
++ /* TTY buffers full; read from RX reg to prevent lockup */
++ serial_port_in(port, SCxRDR);
+ serial_port_in(port, SCxSR); /* dummy read */
+ sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port));
+ }
revert-arm-dts-logicpd-torpedo-fix-i2c1-pinmux.patch
x86-module-detect-and-skip-invalid-relocations.patch
x86-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch
+serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch
+tty-serial-atmel-add-new-version-check-for-usart.patch
+uas-fix-comparison-for-error-code.patch
+staging-comedi-fix-comedi_nsamples_left.patch
+staging-android-ashmem-fix-lockdep-issue-during-llseek.patch
+usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch
+usb-quirks-add-control-message-delay-for-1b1c-1b20.patch
+usb-usbmon-remove-assignment-from-is_err-argument.patch
+usb-usbmon-read-text-within-supplied-buffer-size.patch
+usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch
+serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch
+fixup-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch
--- /dev/null
+From cb57469c9573f6018cd1302953dd45d6e05aba7b Mon Sep 17 00:00:00 2001
+From: Joel Fernandes <joelaf@google.com>
+Date: Fri, 16 Feb 2018 11:02:01 -0800
+Subject: staging: android: ashmem: Fix lockdep issue during llseek
+
+From: Joel Fernandes <joelaf@google.com>
+
+commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.
+
+ashmem_mutex create a chain of dependencies like so:
+
+(1)
+mmap syscall ->
+ mmap_sem -> (acquired)
+ ashmem_mmap
+ ashmem_mutex (try to acquire)
+ (block)
+
+(2)
+llseek syscall ->
+ ashmem_llseek ->
+ ashmem_mutex -> (acquired)
+ inode_lock ->
+ inode->i_rwsem (try to acquire)
+ (block)
+
+(3)
+getdents ->
+ iterate_dir ->
+ inode_lock ->
+ inode->i_rwsem (acquired)
+ copy_to_user ->
+ mmap_sem (try to acquire)
+
+There is a lock ordering created between mmap_sem and inode->i_rwsem
+causing a lockdep splat [2] during a syzcaller test, this patch fixes
+the issue by unlocking the mutex earlier. Functionally that's Ok since
+we don't need to protect vfs_llseek.
+
+[1] https://patchwork.kernel.org/patch/10185031/
+[2] https://lkml.org/lkml/2018/1/10/48
+
+Acked-by: Todd Kjos <tkjos@google.com>
+Cc: Arve Hjonnevag <arve@android.com>
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
+Signed-off-by: Joel Fernandes <joelaf@google.com>
+Acked-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file
+ mutex_lock(&ashmem_mutex);
+
+ if (asma->size == 0) {
+- ret = -EINVAL;
+- goto out;
++ mutex_unlock(&ashmem_mutex);
++ return -EINVAL;
+ }
+
+ if (!asma->file) {
+- ret = -EBADF;
+- goto out;
++ mutex_unlock(&ashmem_mutex);
++ return -EBADF;
+ }
+
++ mutex_unlock(&ashmem_mutex);
++
+ ret = vfs_llseek(asma->file, offset, origin);
+ if (ret < 0)
+- goto out;
++ return ret;
+
+ /** Copy f_pos from backing file, since f_ops->llseek() sets it */
+ file->f_pos = asma->file->f_pos;
+-
+-out:
+- mutex_unlock(&ashmem_mutex);
+ return ret;
+ }
+
--- /dev/null
+From a42ae5905140c324362fe5036ae1dbb16e4d359c Mon Sep 17 00:00:00 2001
+From: Frank Mori Hess <fmh6jj@gmail.com>
+Date: Thu, 15 Feb 2018 15:13:42 -0500
+Subject: staging: comedi: fix comedi_nsamples_left.
+
+From: Frank Mori Hess <fmh6jj@gmail.com>
+
+commit a42ae5905140c324362fe5036ae1dbb16e4d359c upstream.
+
+A rounding error was causing comedi_nsamples_left to
+return the wrong value when nsamples was not a multiple
+of the scan length.
+
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Frank Mori Hess <fmh6jj@gmail.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/staging/comedi/drivers.c
++++ b/drivers/staging/comedi/drivers.c
+@@ -484,8 +484,7 @@ unsigned int comedi_nsamples_left(struct
+ struct comedi_cmd *cmd = &async->cmd;
+
+ if (cmd->stop_src == TRIG_COUNT) {
+- unsigned int nscans = nsamples / cmd->scan_end_arg;
+- unsigned int scans_left = __comedi_nscans_left(s, nscans);
++ unsigned int scans_left = __comedi_nscans_left(s, cmd->stop_arg);
+ unsigned int scan_pos =
+ comedi_bytes_to_samples(s, async->scan_progress);
+ unsigned long long samples_left = 0;
--- /dev/null
+From fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 Mon Sep 17 00:00:00 2001
+From: Jonas Danielsson <jonas@orbital-systems.com>
+Date: Mon, 29 Jan 2018 12:39:15 +0100
+Subject: tty/serial: atmel: add new version check for usart
+
+From: Jonas Danielsson <jonas@orbital-systems.com>
+
+commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream.
+
+On our at91sam9260 based board the usart0 and usart1 ports report
+their versions (ATMEL_US_VERSION) as 0x10302. This version is not
+included in the current checks in the driver.
+
+Signed-off-by: Jonas Danielsson <jonas@orbital-systems.com>
+Acked-by: Richard Genoud <richard.genoud@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1783,6 +1783,7 @@ static void atmel_get_ip_name(struct uar
+ switch (version) {
+ case 0x302:
+ case 0x10213:
++ case 0x10302:
+ dev_dbg(port->dev, "This version is usart\n");
+ atmel_port->is_usart = true;
+ break;
--- /dev/null
+From 9a513c905bb95bef79d96feb08621c1ec8d8c4bb Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 6 Mar 2018 15:04:24 +0100
+Subject: uas: fix comparison for error code
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream.
+
+A typo broke the comparison.
+
+Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+CC: stable@kernel.org
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/uas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -1052,7 +1052,7 @@ static int uas_post_reset(struct usb_int
+ return 0;
+
+ err = uas_configure_endpoints(devinfo);
+- if (err && err != ENODEV)
++ if (err && err != -ENODEV)
+ shost_printk(KERN_ERR, shost,
+ "%s: alloc streams error %d after reset",
+ __func__, err);
--- /dev/null
+From 1a087f032111a88e826877449dfb93ceb22b78b9 Mon Sep 17 00:00:00 2001
+From: Xinyong <xinyong.fang@linux.alibaba.com>
+Date: Fri, 2 Mar 2018 19:20:07 +0800
+Subject: usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
+
+From: Xinyong <xinyong.fang@linux.alibaba.com>
+
+commit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream.
+
+When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
+overflowed, While functionfs is unmounting, ffs_data is put twice.
+
+Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
+refcount_t") can avoid refcount overflow, but that is risk some situations.
+So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.
+
+The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
+KASAN enabled configuration reports use-after-free errro.
+
+BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
+Read of size 4 by task umount/4650
+====================================================
+BUG kmalloc-512 (Tainted: P W O ): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
+ alloc_debug_processing+0x1ac/0x1e8
+ ___slab_alloc.constprop.63+0x640/0x648
+ __slab_alloc.isra.57.constprop.62+0x24/0x34
+ kmem_cache_alloc_trace+0x1a8/0x2bc
+ ffs_fs_mount+0x194/0x844
+ mount_fs+0x6c/0x1d0
+ vfs_kern_mount+0x50/0x1b4
+ do_mount+0x258/0x1034
+INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
+ free_debug_processing+0x22c/0x434
+ __slab_free+0x2d8/0x3a0
+ kfree+0x254/0x264
+ ffs_data_put+0x25c/0x320
+ ffs_data_closed+0x124/0x15c
+ ffs_fs_kill_sb+0xb8/0x110
+ deactivate_locked_super+0x6c/0x98
+ deactivate_super+0xb0/0xbc
+INFO: Object 0xffffffc057938600 @offset=1536 fp=0x (null)
+......
+Call trace:
+[<ffffff900808cf5c>] dump_backtrace+0x0/0x250
+[<ffffff900808d3a0>] show_stack+0x14/0x1c
+[<ffffff90084a8c04>] dump_stack+0xa0/0xc8
+[<ffffff900826c2b4>] print_trailer+0x158/0x260
+[<ffffff900826d9d8>] object_err+0x3c/0x40
+[<ffffff90082745f0>] kasan_report_error+0x2a8/0x754
+[<ffffff9008274f84>] kasan_report+0x5c/0x60
+[<ffffff9008273208>] __asan_load4+0x70/0x88
+[<ffffff90084cd81c>] refcount_dec_and_test+0x14/0xe0
+[<ffffff9008d98f9c>] ffs_data_put+0x80/0x320
+[<ffffff9008d9d904>] ffs_fs_kill_sb+0xc8/0x110
+[<ffffff90082852a0>] deactivate_locked_super+0x6c/0x98
+[<ffffff900828537c>] deactivate_super+0xb0/0xbc
+[<ffffff90082af0c0>] cleanup_mnt+0x64/0xec
+[<ffffff90082af1b0>] __cleanup_mnt+0x10/0x18
+[<ffffff90080d9e68>] task_work_run+0xcc/0x124
+[<ffffff900808c8c0>] do_notify_resume+0x60/0x70
+[<ffffff90080866e4>] work_pending+0x10/0x14
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Xinyong <xinyong.fang@linux.alibaba.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1333,7 +1333,6 @@ ffs_fs_kill_sb(struct super_block *sb)
+ if (sb->s_fs_info) {
+ ffs_release_dev(sb->s_fs_info);
+ ffs_data_closed(sb->s_fs_info);
+- ffs_data_put(sb->s_fs_info);
+ }
+ }
+
--- /dev/null
+From cb88a0588717ba6c756cb5972d75766b273a6817 Mon Sep 17 00:00:00 2001
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Date: Tue, 6 Mar 2018 09:38:49 +0100
+Subject: usb: quirks: add control message delay for 1b1c:1b20
+
+From: Danilo Krummrich <danilokrummrich@dk-develop.de>
+
+commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream.
+
+Corsair Strafe RGB keyboard does not respond to usb control messages
+sometimes and hence generates timeouts.
+
+Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair
+Strafe RGB keyboard") tried to fix those timeouts by adding
+USB_QUIRK_DELAY_INIT.
+
+Unfortunately, even with this quirk timeouts of usb_control_msg()
+can still be seen, but with a lower frequency (approx. 1 out of 15):
+
+[ 29.103520] usb 1-8: string descriptor 0 read error: -110
+[ 34.363097] usb 1-8: can't set config #1, error -110
+
+Adding further delays to different locations where usb control
+messages are issued just moves the timeouts to other locations,
+e.g.:
+
+[ 35.400533] usbhid 1-8:1.0: can't add hid device: -110
+[ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110
+
+The only way to reliably avoid those issues is having a pause after
+each usb control message. In approx. 200 boot cycles no more timeouts
+were seen.
+
+Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary
+to have the delay in hub_port_connect() after hub_port_init().
+
+The overall boot time seems not to be influenced by these additional
+delays, even on fast machines and lightweight distributions.
+
+Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard")
+Cc: stable@vger.kernel.org
+Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/message.c | 4 ++++
+ drivers/usb/core/quirks.c | 3 ++-
+ include/linux/usb/quirks.h | 3 +++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *d
+
+ ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
+
++ /* Linger a bit, prior to the next control message. */
++ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
++ msleep(200);
++
+ kfree(dr);
+
+ return ret;
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+
+ /* Corsair Strafe RGB */
+- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
++ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
++ USB_QUIRK_DELAY_CTRL_MSG },
+
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -56,4 +56,7 @@
+ */
+ #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
+
++/* Device needs a pause after every control message. */
++#define USB_QUIRK_DELAY_CTRL_MSG BIT(13)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
--- /dev/null
+From 5126a504b63d82785eaece3a9c30c660b313785a Mon Sep 17 00:00:00 2001
+From: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
+Date: Thu, 1 Mar 2018 19:34:29 +0200
+Subject: USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
+
+From: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
+
+commit 5126a504b63d82785eaece3a9c30c660b313785a upstream.
+
+This USB-SATA controller seems to be similar with JMicron bridge
+152d:2566 already on the list. Adding it here fixes "Invalid
+field in cdb" errors.
+
+Signed-off-by: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
+Cc: stable@vger.kernel.org
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2142,6 +2142,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ),
+
++/* Reported by Teijo Kinnunen <teijo.kinnunen@code-q.fi> */
++UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117,
++ "JMicron",
++ "USB to ATA/ATAPI Bridge",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA ),
++
+ /* Reported-by George Cherian <george.cherian@cavium.com> */
+ UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
+ "JMicron",
--- /dev/null
+From a5f596830e27e15f7a0ecd6be55e433d776986d8 Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@kotori.zaitcev.us>
+Date: Fri, 9 Mar 2018 00:21:14 -0600
+Subject: usb: usbmon: Read text within supplied buffer size
+
+From: Pete Zaitcev <zaitcev@kotori.zaitcev.us>
+
+commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.
+
+This change fixes buffer overflows and silent data corruption with the
+usbmon device driver text file read operations.
+
+Signed-off-by: Fredrik Noring <noring@nocrew.org>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_text.c | 124 +++++++++++++++++++++++++++------------------
+ 1 file changed, 77 insertions(+), 47 deletions(-)
+
+--- a/drivers/usb/mon/mon_text.c
++++ b/drivers/usb/mon/mon_text.c
+@@ -82,6 +82,8 @@ struct mon_reader_text {
+
+ wait_queue_head_t wait;
+ int printf_size;
++ size_t printf_offset;
++ size_t printf_togo;
+ char *printf_buf;
+ struct mutex printf_lock;
+
+@@ -373,75 +375,103 @@ err_alloc:
+ return rc;
+ }
+
+-/*
+- * For simplicity, we read one record in one system call and throw out
+- * what does not fit. This means that the following does not work:
+- * dd if=/dbg/usbmon/0t bs=10
+- * Also, we do not allow seeks and do not bother advancing the offset.
+- */
++static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
++ char __user * const buf, const size_t nbytes)
++{
++ const size_t togo = min(nbytes, rp->printf_togo);
++
++ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo))
++ return -EFAULT;
++ rp->printf_togo -= togo;
++ rp->printf_offset += togo;
++ return togo;
++}
++
++/* ppos is not advanced since the llseek operation is not permitted. */
+ static ssize_t mon_text_read_t(struct file *file, char __user *buf,
+- size_t nbytes, loff_t *ppos)
++ size_t nbytes, loff_t *ppos)
+ {
+ struct mon_reader_text *rp = file->private_data;
+ struct mon_event_text *ep;
+ struct mon_text_ptr ptr;
++ ssize_t ret;
+
+- ep = mon_text_read_wait(rp, file);
+- if (IS_ERR(ep))
+- return PTR_ERR(ep);
+ mutex_lock(&rp->printf_lock);
+- ptr.cnt = 0;
+- ptr.pbuf = rp->printf_buf;
+- ptr.limit = rp->printf_size;
+-
+- mon_text_read_head_t(rp, &ptr, ep);
+- mon_text_read_statset(rp, &ptr, ep);
+- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+- " %d", ep->length);
+- mon_text_read_data(rp, &ptr, ep);
+
+- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
+- ptr.cnt = -EFAULT;
++ if (rp->printf_togo == 0) {
++
++ ep = mon_text_read_wait(rp, file);
++ if (IS_ERR(ep)) {
++ mutex_unlock(&rp->printf_lock);
++ return PTR_ERR(ep);
++ }
++ ptr.cnt = 0;
++ ptr.pbuf = rp->printf_buf;
++ ptr.limit = rp->printf_size;
++
++ mon_text_read_head_t(rp, &ptr, ep);
++ mon_text_read_statset(rp, &ptr, ep);
++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
++ " %d", ep->length);
++ mon_text_read_data(rp, &ptr, ep);
++
++ rp->printf_togo = ptr.cnt;
++ rp->printf_offset = 0;
++
++ kmem_cache_free(rp->e_slab, ep);
++ }
++
++ ret = mon_text_copy_to_user(rp, buf, nbytes);
+ mutex_unlock(&rp->printf_lock);
+- kmem_cache_free(rp->e_slab, ep);
+- return ptr.cnt;
++ return ret;
+ }
+
++/* ppos is not advanced since the llseek operation is not permitted. */
+ static ssize_t mon_text_read_u(struct file *file, char __user *buf,
+- size_t nbytes, loff_t *ppos)
++ size_t nbytes, loff_t *ppos)
+ {
+ struct mon_reader_text *rp = file->private_data;
+ struct mon_event_text *ep;
+ struct mon_text_ptr ptr;
++ ssize_t ret;
+
+- ep = mon_text_read_wait(rp, file);
+- if (IS_ERR(ep))
+- return PTR_ERR(ep);
+ mutex_lock(&rp->printf_lock);
+- ptr.cnt = 0;
+- ptr.pbuf = rp->printf_buf;
+- ptr.limit = rp->printf_size;
+
+- mon_text_read_head_u(rp, &ptr, ep);
+- if (ep->type == 'E') {
+- mon_text_read_statset(rp, &ptr, ep);
+- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
+- mon_text_read_isostat(rp, &ptr, ep);
+- mon_text_read_isodesc(rp, &ptr, ep);
+- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
+- mon_text_read_intstat(rp, &ptr, ep);
+- } else {
+- mon_text_read_statset(rp, &ptr, ep);
++ if (rp->printf_togo == 0) {
++
++ ep = mon_text_read_wait(rp, file);
++ if (IS_ERR(ep)) {
++ mutex_unlock(&rp->printf_lock);
++ return PTR_ERR(ep);
++ }
++ ptr.cnt = 0;
++ ptr.pbuf = rp->printf_buf;
++ ptr.limit = rp->printf_size;
++
++ mon_text_read_head_u(rp, &ptr, ep);
++ if (ep->type == 'E') {
++ mon_text_read_statset(rp, &ptr, ep);
++ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
++ mon_text_read_isostat(rp, &ptr, ep);
++ mon_text_read_isodesc(rp, &ptr, ep);
++ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
++ mon_text_read_intstat(rp, &ptr, ep);
++ } else {
++ mon_text_read_statset(rp, &ptr, ep);
++ }
++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
++ " %d", ep->length);
++ mon_text_read_data(rp, &ptr, ep);
++
++ rp->printf_togo = ptr.cnt;
++ rp->printf_offset = 0;
++
++ kmem_cache_free(rp->e_slab, ep);
+ }
+- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+- " %d", ep->length);
+- mon_text_read_data(rp, &ptr, ep);
+
+- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
+- ptr.cnt = -EFAULT;
++ ret = mon_text_copy_to_user(rp, buf, nbytes);
+ mutex_unlock(&rp->printf_lock);
+- kmem_cache_free(rp->e_slab, ep);
+- return ptr.cnt;
++ return ret;
+ }
+
+ static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp,
--- /dev/null
+From 46c236dc7d1212d7417e6fb0317f91c44c719322 Mon Sep 17 00:00:00 2001
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sat, 26 Dec 2015 22:57:44 +0100
+Subject: USB: usbmon: remove assignment from IS_ERR argument
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+commit 46c236dc7d1212d7417e6fb0317f91c44c719322 upstream.
+
+The semantic patch that makes this change is as follows:
+(http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+expression e1,e2;
+statement S1,S2;
+@@
+
++e1 = e2;
+if (IS_ERR(
+ e1
+- = e2
+ )) S1 else S2
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_text.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/mon/mon_text.c
++++ b/drivers/usb/mon/mon_text.c
+@@ -386,7 +386,8 @@ static ssize_t mon_text_read_t(struct fi
+ struct mon_event_text *ep;
+ struct mon_text_ptr ptr;
+
+- if (IS_ERR(ep = mon_text_read_wait(rp, file)))
++ ep = mon_text_read_wait(rp, file);
++ if (IS_ERR(ep))
+ return PTR_ERR(ep);
+ mutex_lock(&rp->printf_lock);
+ ptr.cnt = 0;
+@@ -413,7 +414,8 @@ static ssize_t mon_text_read_u(struct fi
+ struct mon_event_text *ep;
+ struct mon_text_ptr ptr;
+
+- if (IS_ERR(ep = mon_text_read_wait(rp, file)))
++ ep = mon_text_read_wait(rp, file);
++ if (IS_ERR(ep))
+ return PTR_ERR(ep);
+ mutex_lock(&rp->printf_lock);
+ ptr.cnt = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
