--- /dev/null
+From 32eb12a6c11034867401d56b012e3c15d5f8141e Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 3 Jan 2017 17:43:01 +0000
+Subject: KVM: MIPS: Flush KVM entry code from icache globally
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 32eb12a6c11034867401d56b012e3c15d5f8141e upstream.
+
+Flush the KVM entry code from the icache on all CPUs, not just the one
+that built the entry code.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář" <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/mips.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -324,8 +324,8 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
+ #endif
+
+ /* Invalidate the icache for these ranges */
+- local_flush_icache_range((unsigned long)gebase,
+- (unsigned long)gebase + ALIGN(size, PAGE_SIZE));
++ flush_icache_range((unsigned long)gebase,
++ (unsigned long)gebase + ALIGN(size, PAGE_SIZE));
+
+ /*
+ * Allocate comm page for guest kernel, a TLB will be reserved for
--- /dev/null
+From 6ef4e07ecd2db21025c446327ecf34414366498b Mon Sep 17 00:00:00 2001
+From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Date: Sat, 24 Dec 2016 10:00:42 +0100
+Subject: KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS
+
+From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+
+commit 6ef4e07ecd2db21025c446327ecf34414366498b upstream.
+
+Otherwise, mismatch between the smm bit in hflags and the MMU role
+can cause a NULL pointer dereference.
+
+Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2949,6 +2949,8 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_
+ memset(&events->reserved, 0, sizeof(events->reserved));
+ }
+
++static void kvm_set_hflags(struct kvm_vcpu *vcpu, unsigned emul_flags);
++
+ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
+ struct kvm_vcpu_events *events)
+ {
+@@ -2981,10 +2983,13 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_e
+ vcpu->arch.apic->sipi_vector = events->sipi_vector;
+
+ if (events->flags & KVM_VCPUEVENT_VALID_SMM) {
++ u32 hflags = vcpu->arch.hflags;
+ if (events->smi.smm)
+- vcpu->arch.hflags |= HF_SMM_MASK;
++ hflags |= HF_SMM_MASK;
+ else
+- vcpu->arch.hflags &= ~HF_SMM_MASK;
++ hflags &= ~HF_SMM_MASK;
++ kvm_set_hflags(vcpu, hflags);
++
+ vcpu->arch.smi_pending = events->smi.pending;
+ if (events->smi.smm_inside_nmi)
+ vcpu->arch.hflags |= HF_SMM_INSIDE_NMI_MASK;
alsa-usb-audio-fix-irq-process-data-synchronization.patch
arm-davinci-da850-don-t-add-emac-clock-to-lookup-table-twice.patch
mac80211-initialize-fast-xmit-info-later.patch
+kvm-x86-reset-mmu-on-kvm_set_vcpu_events.patch
+kvm-mips-flush-kvm-entry-code-from-icache-globally.patch
+usb-musb-core-add-clear_ep_rxintr-to-musb_platform_ops.patch
+usb-musb-dsps-implement-clear_ep_rxintr-callback.patch
+usb-storage-unusual_uas-add-jmicron-jms56x-to-unusual-device.patch
+usb-gadgetfs-restrict-upper-bound-on-device-configuration-size.patch
+usb-gadgetfs-fix-unbounded-memory-allocation-bug.patch
+usb-gadgetfs-fix-use-after-free-bug.patch
+usb-gadgetfs-fix-checks-of-wtotallength-in-config-descriptors.patch
+usb-fix-problems-with-duplicate-endpoint-addresses.patch
+usb-dummy-hcd-fix-bug-in-stop_activity-handle-ep0.patch
+usb-gadget-composite-test-get_alt-presence-instead-of-set_alt.patch
+usb-dwc3-core-avoid-overflow-events.patch
+usb-xhci-fix-possible-wild-pointer.patch
--- /dev/null
+From bcdbeb844773333d2d1c08004f3b3e25921040e5 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 14 Dec 2016 14:55:56 -0500
+Subject: USB: dummy-hcd: fix bug in stop_activity (handle ep0)
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.
+
+The stop_activity() routine in dummy-hcd is supposed to unlink all
+active requests for every endpoint, among other things. But it
+doesn't handle ep0. As a result, fuzz testing can generate a WARNING
+like the following:
+
+WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
+Modules linked in:
+CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
+ ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
+ ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
+Call Trace:
+ [< inline >] __dump_stack lib/dump_stack.c:15
+ [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
+ [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
+ [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
+ [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
+ [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
+ [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
+ [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
+ [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357
+
+This patch fixes the problem by iterating over all the endpoints in
+the driver's ep array instead of iterating over the gadget's ep_list,
+which explicitly leaves out ep0.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -330,7 +330,7 @@ static void nuke(struct dummy *dum, stru
+ /* caller must hold lock */
+ static void stop_activity(struct dummy *dum)
+ {
+- struct dummy_ep *ep;
++ int i;
+
+ /* prevent any more requests */
+ dum->address = 0;
+@@ -338,8 +338,8 @@ static void stop_activity(struct dummy *
+ /* The timer is left running so that outstanding URBs can fail */
+
+ /* nuke any pending requests first, so driver i/o is quiesced */
+- list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
+- nuke(dum, ep);
++ for (i = 0; i < DUMMY_ENDPOINTS; ++i)
++ nuke(dum, &dum->ep[i]);
+
+ /* driver now does any non-usb quiescing necessary */
+ }
--- /dev/null
+From e71d363d9c611c99fb78f53bfee99616e7fe352c Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Fri, 23 Dec 2016 14:40:40 +0200
+Subject: usb: dwc3: core: avoid Overflow events
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit e71d363d9c611c99fb78f53bfee99616e7fe352c upstream.
+
+Now that we're handling so many transfers at a time
+and for some dwc3 revisions LPM events *must* be
+enabled, we can fall into a situation where too many
+events fire and we start receiving Overflow events.
+
+Let's do what XHCI does and allocate a full page for
+the Event Ring, this will avoid any future issues.
+
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -42,9 +42,7 @@
+ #define DWC3_XHCI_RESOURCES_NUM 2
+
+ #define DWC3_SCRATCHBUF_SIZE 4096 /* each buffer is assumed to be 4KiB */
+-#define DWC3_EVENT_SIZE 4 /* bytes */
+-#define DWC3_EVENT_MAX_NUM 64 /* 2 events/endpoint */
+-#define DWC3_EVENT_BUFFERS_SIZE (DWC3_EVENT_SIZE * DWC3_EVENT_MAX_NUM)
++#define DWC3_EVENT_BUFFERS_SIZE 4096
+ #define DWC3_EVENT_TYPE_MASK 0xfe
+
+ #define DWC3_EVENT_TYPE_DEV 0
--- /dev/null
+From 0a8fd1346254974c3a852338508e4a4cddbb35f1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 19 Dec 2016 12:03:41 -0500
+Subject: USB: fix problems with duplicate endpoint addresses
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.
+
+When checking a new device's descriptors, the USB core does not check
+for duplicate endpoint addresses. This can cause a problem when the
+sysfs files for those endpoints are created; trying to create multiple
+files with the same name will provoke a WARNING:
+
+WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
+sysfs: cannot create duplicate filename
+'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+ ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
+ ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
+ ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
+Call Trace:
+ [< inline >] __dump_stack lib/dump_stack.c:15
+ [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
+ [<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
+ [<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
+ [<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
+ [<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
+ [<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
+ [< inline >] create_dir lib/kobject.c:71
+ [<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
+ [< inline >] kobject_add_varg lib/kobject.c:366
+ [<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
+ [<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
+ [<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
+ [<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
+ [<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
+ [<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
+ [<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
+ [<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263
+
+This patch prevents the problem by checking for duplicate endpoint
+addresses during enumeration and skipping any duplicates.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -205,6 +205,16 @@ static int usb_parse_endpoint(struct dev
+ if (ifp->desc.bNumEndpoints >= num_ep)
+ goto skip_to_next_endpoint_or_interface_descriptor;
+
++ /* Check for duplicate endpoint addresses */
++ for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
++ if (ifp->endpoint[i].desc.bEndpointAddress ==
++ d->bEndpointAddress) {
++ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
++ cfgno, inum, asnum, d->bEndpointAddress);
++ goto skip_to_next_endpoint_or_interface_descriptor;
++ }
++ }
++
+ endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+ ++ifp->desc.bNumEndpoints;
+
--- /dev/null
+From 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f Mon Sep 17 00:00:00 2001
+From: Krzysztof Opasiak <k.opasiak@samsung.com>
+Date: Tue, 20 Dec 2016 19:52:16 +0100
+Subject: usb: gadget: composite: Test get_alt() presence instead of set_alt()
+
+From: Krzysztof Opasiak <k.opasiak@samsung.com>
+
+commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.
+
+By convention (according to doc) if function does not provide
+get_alt() callback composite framework should assume that it has only
+altsetting 0 and should respond with error if host tries to set
+other one.
+
+After commit dd4dff8b035f ("USB: composite: Fix bug: should test
+set_alt function pointer before use it")
+we started checking set_alt() callback instead of get_alt().
+This check is useless as we check if set_alt() is set inside
+usb_add_function() and fail if it's NULL.
+
+Let's fix this check and move comment about why we check the get
+method instead of set a little bit closer to prevent future false
+fixes.
+
+Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
+Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1601,9 +1601,7 @@ composite_setup(struct usb_gadget *gadge
+ value = min(w_length, (u16) 1);
+ break;
+
+- /* function drivers must handle get/set altsetting; if there's
+- * no get() method, we know only altsetting zero works.
+- */
++ /* function drivers must handle get/set altsetting */
+ case USB_REQ_SET_INTERFACE:
+ if (ctrl->bRequestType != USB_RECIP_INTERFACE)
+ goto unknown;
+@@ -1612,7 +1610,13 @@ composite_setup(struct usb_gadget *gadge
+ f = cdev->config->interface[intf];
+ if (!f)
+ break;
+- if (w_value && !f->set_alt)
++
++ /*
++ * If there's no get_alt() method, we know only altsetting zero
++ * works. There is no need to check if set_alt() is not NULL
++ * as we check this in usb_add_function().
++ */
++ if (w_value && !f->get_alt)
+ break;
+ value = f->set_alt(f, w_index, w_value);
+ if (value == USB_GADGET_DELAYED_STATUS) {
--- /dev/null
+From 1c069b057dcf64fada952eaa868d35f02bb0cfc2 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 9 Dec 2016 15:24:24 -0500
+Subject: USB: gadgetfs: fix checks of wTotalLength in config descriptors
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.
+
+Andrey Konovalov's fuzz testing of gadgetfs showed that we should
+improve the driver's checks for valid configuration descriptors passed
+in by the user. In particular, the driver needs to verify that the
+wTotalLength value in the descriptor is not too short (smaller
+than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is
+too large has to be changed, because the driver assumes there is
+always enough room remaining in the buffer to hold a device descriptor
+(at least USB_DT_DEVICE_SIZE bytes).
+
+This patch adds the additional check and fixes the existing check. It
+may do a little more than strictly necessary, but one extra check
+won't hurt.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1755,10 +1755,12 @@ static struct usb_gadget_driver probe_dr
+ * such as configuration notifications.
+ */
+
+-static int is_valid_config (struct usb_config_descriptor *config)
++static int is_valid_config(struct usb_config_descriptor *config,
++ unsigned int total)
+ {
+ return config->bDescriptorType == USB_DT_CONFIG
+ && config->bLength == USB_DT_CONFIG_SIZE
++ && total >= USB_DT_CONFIG_SIZE
+ && config->bConfigurationValue != 0
+ && (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
+ && (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
+@@ -1808,7 +1810,8 @@ dev_config (struct file *fd, const char
+ /* full or low speed config */
+ dev->config = (void *) kbuf;
+ total = le16_to_cpu(dev->config->wTotalLength);
+- if (!is_valid_config (dev->config) || total >= length)
++ if (!is_valid_config(dev->config, total) ||
++ total > length - USB_DT_DEVICE_SIZE)
+ goto fail;
+ kbuf += total;
+ length -= total;
+@@ -1817,7 +1820,8 @@ dev_config (struct file *fd, const char
+ if (kbuf [1] == USB_DT_CONFIG) {
+ dev->hs_config = (void *) kbuf;
+ total = le16_to_cpu(dev->hs_config->wTotalLength);
+- if (!is_valid_config (dev->hs_config) || total >= length)
++ if (!is_valid_config(dev->hs_config, total) ||
++ total > length - USB_DT_DEVICE_SIZE)
+ goto fail;
+ kbuf += total;
+ length -= total;
--- /dev/null
+From faab50984fe6636e616c7cc3d30308ba391d36fd Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 9 Dec 2016 15:17:46 -0500
+Subject: USB: gadgetfs: fix unbounded memory allocation bug
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.
+
+Andrey Konovalov reports that fuzz testing with syzkaller causes a
+KASAN warning in gadgetfs:
+
+BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
+Write of size 65537 by task syz-executor0/6356
+CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
+ ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
+ ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
+Call Trace:
+ [< inline >] __dump_stack lib/dump_stack.c:15
+ [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
+ [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
+ [< inline >] print_address_description mm/kasan/report.c:197
+ [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
+ [<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
+ [< inline >] check_memory_region_inline mm/kasan/kasan.c:308
+ [<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
+ [<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
+ [< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689
+ [< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
+ [<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
+ [<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
+ [<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
+ [< inline >] SYSC_write fs/read_write.c:607
+ [<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
+ [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Indeed, there is a comment saying that the value of len is restricted
+to a 16-bit integer, but the code doesn't actually do this.
+
+This patch fixes the warning. It replaces the comment with a
+computation that forces the amount of data copied from the user in
+ep0_write() to be no larger than the wLength size for the control
+transfer, which is a 16-bit quantity.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1125,7 +1125,7 @@ ep0_write (struct file *fd, const char _
+ /* data and/or status stage for control request */
+ } else if (dev->state == STATE_DEV_SETUP) {
+
+- /* IN DATA+STATUS caller makes len <= wLength */
++ len = min_t(size_t, len, dev->setup_wLength);
+ if (dev->setup_in) {
+ retval = setup_req (dev->gadget->ep0, dev->req, len);
+ if (retval == 0) {
--- /dev/null
+From add333a81a16abbd4f106266a2553677a165725f Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 9 Dec 2016 15:18:43 -0500
+Subject: USB: gadgetfs: fix use-after-free bug
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit add333a81a16abbd4f106266a2553677a165725f upstream.
+
+Andrey Konovalov reports that fuzz testing with syzkaller causes a
+KASAN use-after-free bug report in gadgetfs:
+
+BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
+Read of size 2 by task syz-executor0/22994
+CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
+ ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
+ ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
+Call Trace:
+ <IRQ> [ 201.343209] [< inline >] __dump_stack lib/dump_stack.c:15
+ <IRQ> [ 201.343209] [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
+ [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
+ [< inline >] print_address_description mm/kasan/report.c:197
+ [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
+ [< inline >] kasan_report mm/kasan/report.c:306
+ [<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
+ [< inline >] config_buf drivers/usb/gadget/legacy/inode.c:1298
+ [<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
+ [<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
+ [<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
+ [< inline >] expire_timers kernel/time/timer.c:1348
+ [<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
+ [<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
+ [<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284
+
+The cause of the bug is subtle. The dev_config() routine gets called
+twice by the fuzzer. The first time, the user data contains both a
+full-speed configuration descriptor and a high-speed config
+descriptor, causing dev->hs_config to be set. But it also contains an
+invalid device descriptor, so the buffer containing the descriptors is
+deallocated and dev_config() returns an error.
+
+The second time dev_config() is called, the user data contains only a
+full-speed config descriptor. But dev->hs_config still has the stale
+pointer remaining from the first call, causing the routine to think
+that there is a valid high-speed config. Later on, when the driver
+dereferences the stale pointer to copy that descriptor, we get a
+use-after-free access.
+
+The fix is simple: Clear dev->hs_config if the passed-in data does not
+contain a high-speed config descriptor.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1821,6 +1821,8 @@ dev_config (struct file *fd, const char
+ goto fail;
+ kbuf += total;
+ length -= total;
++ } else {
++ dev->hs_config = NULL;
+ }
+
+ /* could support multiple configs, using another encoding! */
--- /dev/null
+From 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 6 Dec 2016 08:36:29 +0100
+Subject: usb: gadgetfs: restrict upper bound on device configuration size
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.
+
+Andrey Konovalov reported that we were not properly checking the upper
+limit before of a device configuration size before calling
+memdup_user(), which could cause some problems.
+
+So set the upper limit to PAGE_SIZE * 4, which should be good enough for
+all devices.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1783,7 +1783,8 @@ dev_config (struct file *fd, const char
+ }
+ spin_unlock_irq(&dev->lock);
+
+- if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
++ if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
++ (len > PAGE_SIZE * 4))
+ return -EINVAL;
+
+ /* we might need to change message format someday */
--- /dev/null
+From 6def85a396ce7796bd9f4561c6ae8138833f7a52 Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Tue, 3 Jan 2017 18:13:46 -0600
+Subject: usb: musb: core: add clear_ep_rxintr() to musb_platform_ops
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 6def85a396ce7796bd9f4561c6ae8138833f7a52 upstream.
+
+During dma teardown for dequque urb, if musb load is high, musb might
+generate bogus rx ep interrupt even when the rx fifo is flushed. In such
+case any of the follow log messages could happen.
+
+ musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0
+
+ musb_host_rx 1936: RX3 dma busy, csr 2020
+
+As mentioned in the current inline comment, clearing ep interrupt in the
+teardown path avoids the bogus interrupt.
+
+Clearing ep interrupt is platform dependent, so this patch adds a
+platform callback to allow glue driver to clear the ep interrupt.
+
+This bug seems to be existing since the initial driver for musb support,
+but I only validated the fix back to v4.1, so only cc stable for v4.1+.
+
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_core.h | 7 +++++++
+ drivers/usb/musb/musb_host.c | 10 ++++------
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/musb/musb_core.h
++++ b/drivers/usb/musb/musb_core.h
+@@ -214,6 +214,7 @@ struct musb_platform_ops {
+ dma_addr_t *dma_addr, u32 *len);
+ void (*pre_root_reset_end)(struct musb *musb);
+ void (*post_root_reset_end)(struct musb *musb);
++ void (*clear_ep_rxintr)(struct musb *musb, int epnum);
+ };
+
+ /*
+@@ -612,4 +613,10 @@ static inline void musb_platform_post_ro
+ musb->ops->post_root_reset_end(musb);
+ }
+
++static inline void musb_platform_clear_ep_rxintr(struct musb *musb, int epnum)
++{
++ if (musb->ops->clear_ep_rxintr)
++ musb->ops->clear_ep_rxintr(musb, epnum);
++}
++
+ #endif /* __MUSB_CORE_H__ */
+--- a/drivers/usb/musb/musb_host.c
++++ b/drivers/usb/musb/musb_host.c
+@@ -2390,12 +2390,11 @@ static int musb_cleanup_urb(struct urb *
+ int is_in = usb_pipein(urb->pipe);
+ int status = 0;
+ u16 csr;
++ struct dma_channel *dma = NULL;
+
+ musb_ep_select(regs, hw_end);
+
+ if (is_dma_capable()) {
+- struct dma_channel *dma;
+-
+ dma = is_in ? ep->rx_channel : ep->tx_channel;
+ if (dma) {
+ status = ep->musb->dma_controller->channel_abort(dma);
+@@ -2412,10 +2411,9 @@ static int musb_cleanup_urb(struct urb *
+ /* giveback saves bulk toggle */
+ csr = musb_h_flush_rxfifo(ep, 0);
+
+- /* REVISIT we still get an irq; should likely clear the
+- * endpoint's irq status here to avoid bogus irqs.
+- * clearing that status is platform-specific...
+- */
++ /* clear the endpoint's irq status here to avoid bogus irqs */
++ if (is_dma_capable() && dma)
++ musb_platform_clear_ep_rxintr(musb, ep->epnum);
+ } else if (ep->epnum) {
+ musb_h_tx_flush_fifo(ep);
+ csr = musb_readw(epio, MUSB_TXCSR);
--- /dev/null
+From c48400baa02155a5ddad63e8554602e48782278c Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Tue, 3 Jan 2017 18:13:47 -0600
+Subject: usb: musb: dsps: implement clear_ep_rxintr() callback
+
+From: Bin Liu <b-liu@ti.com>
+
+commit c48400baa02155a5ddad63e8554602e48782278c upstream.
+
+During dma teardown for dequque urb, if musb load is high, musb might
+generate bogus rx ep interrupt even when the rx fifo is flushed. In such
+case any of the follow log messages could happen.
+
+ musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0
+
+ musb_host_rx 1936: RX3 dma busy, csr 2020
+
+As mentioned in the current inline comment, clearing ep interrupt in the
+teardown path avoids the bogus interrupt, so implement clear_ep_rxintr()
+callback.
+
+This bug seems to be existing since the initial driver for musb support,
+but I only validated the fix back to v4.1, so only cc stable for v4.1+.
+
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_dsps.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -301,6 +301,17 @@ static void otg_timer(unsigned long _mus
+ spin_unlock_irqrestore(&musb->lock, flags);
+ }
+
++void dsps_musb_clear_ep_rxintr(struct musb *musb, int epnum)
++{
++ u32 epintr;
++ struct dsps_glue *glue = dev_get_drvdata(musb->controller->parent);
++ const struct dsps_musb_wrapper *wrp = glue->wrp;
++
++ /* musb->lock might already been held */
++ epintr = (1 << epnum) << wrp->rxep_shift;
++ musb_writel(musb->ctrl_base, wrp->epintr_status, epintr);
++}
++
+ static irqreturn_t dsps_interrupt(int irq, void *hci)
+ {
+ struct musb *musb = hci;
+@@ -647,6 +658,7 @@ static struct musb_platform_ops dsps_ops
+ .try_idle = dsps_musb_try_idle,
+ .set_mode = dsps_musb_set_mode,
+ .recover = dsps_musb_recover,
++ .clear_ep_rxintr = dsps_musb_clear_ep_rxintr,
+ };
+
+ static u64 musb_dmamask = DMA_BIT_MASK(32);
--- /dev/null
+From 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 2 Jan 2017 15:26:17 +0100
+Subject: usb: storage: unusual_uas: Add JMicron JMS56x to unusual device
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 upstream.
+
+This device gives the following error on detection.
+xhci_hcd 0000:00:11.0: ERROR Transfer event for disabled endpoint or
+incorrect stream ring
+
+The same error is not seen when it is added to unusual_device
+list with US_FL_NO_REPORT_OPCODES passed.
+
+Signed-off-by: George Cherian <george.cherian@cavium.com>
+Signed-off-by: Oliver Neukum <oneukun@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2135,6 +2135,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ),
+
++/* Reported-by George Cherian <george.cherian@cavium.com> */
++UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
++ "JMicron",
++ "JMS56x",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_REPORT_OPCODES),
++
+ /*
+ * Patch by Constantin Baranov <const@tltsu.ru>
+ * Report by Andreas Koenecke.
--- /dev/null
+From 2b985467371a58ae44d76c7ba12b0951fee6ed98 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Tue, 3 Jan 2017 18:28:46 +0200
+Subject: usb: xhci: fix possible wild pointer
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 2b985467371a58ae44d76c7ba12b0951fee6ed98 upstream.
+
+handle_cmd_completion() frees a command structure which might be still
+referenced by xhci->current_cmd.
+This might cause problem when xhci->current_cmd is accessed after that.
+
+A real-life case could be like this. The host takes a very long time to
+respond to a command, and the command timer is fired at the same time
+when the command completion event arrives. The command completion
+handler frees xhci->current_cmd before the timer function can grab
+xhci->lock. Afterward, timer function grabs the lock and go ahead with
+checking and setting members of xhci->current_cmd.
+
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1268,14 +1268,18 @@ void xhci_handle_command_timeout(unsigne
+ bool second_timeout = false;
+ xhci = (struct xhci_hcd *) data;
+
+- /* mark this command to be cancelled */
+ spin_lock_irqsave(&xhci->lock, flags);
+- if (xhci->current_cmd) {
+- if (xhci->current_cmd->status == COMP_CMD_ABORT)
+- second_timeout = true;
+- xhci->current_cmd->status = COMP_CMD_ABORT;
++
++ if (!xhci->current_cmd) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ return;
+ }
+
++ /* mark this command to be cancelled */
++ if (xhci->current_cmd->status == COMP_CMD_ABORT)
++ second_timeout = true;
++ xhci->current_cmd->status = COMP_CMD_ABORT;
++
+ /* Make sure command ring is running before aborting it */
+ hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+ if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
+@@ -1424,6 +1428,8 @@ static void handle_cmd_completion(struct
+ xhci->current_cmd = list_entry(cmd->cmd_list.next,
+ struct xhci_command, cmd_list);
+ mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT);
++ } else if (xhci->current_cmd == cmd) {
++ xhci->current_cmd = NULL;
+ }
+
+ event_handled:
projects / thirdparty / kernel / stable-queue.git / commitdiff
