--- /dev/null
+From 5b9e886a4af97574ca3ce1147f35545da0e7afc7 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 30 Apr 2018 12:00:11 +0200
+Subject: clocksource: Initialize cs->wd_list
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 5b9e886a4af97574ca3ce1147f35545da0e7afc7 upstream.
+
+A number of places relies on list_empty(&cs->wd_list), however the
+list_head does not get initialized. Do so upon registration, such that
+thereafter it is possible to rely on list_empty() correctly reflecting
+the list membership status.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Diego Viola <diego.viola@gmail.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: stable@vger.kernel.org
+Cc: len.brown@intel.com
+Cc: rjw@rjwysocki.net
+Cc: rui.zhang@intel.com
+Link: https://lkml.kernel.org/r/20180430100344.472662715@infradead.org
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/clocksource.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/time/clocksource.c
++++ b/kernel/time/clocksource.c
+@@ -322,6 +322,8 @@ static void clocksource_enqueue_watchdog
+ {
+ unsigned long flags;
+
++ INIT_LIST_HEAD(&cs->wd_list);
++
+ spin_lock_irqsave(&watchdog_lock, flags);
+ if (cs->flags & CLOCK_SOURCE_MUST_VERIFY) {
+ /* cs is a clocksource to be watched. */
--- /dev/null
+From 2546da99212f22034aecf279da9c47cbfac6c981 Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Sat, 7 Jul 2018 20:41:47 +0200
+Subject: crypto: af_alg - Initialize sg_num_bytes in error code path
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 2546da99212f22034aecf279da9c47cbfac6c981 upstream.
+
+The RX SGL in processing is already registered with the RX SGL tracking
+list to support proper cleanup. The cleanup code path uses the
+sg_num_bytes variable which must therefore be always initialized, even
+in the error code path.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Reported-by: syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com
+#syz test: https://github.com/google/kmsan.git master
+CC: <stable@vger.kernel.org> #4.14
+Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1183,8 +1183,10 @@ int af_alg_get_rsgl(struct sock *sk, str
+
+ /* make one iovec available as scatterlist */
+ err = af_alg_make_sg(&rsgl->sgl, &msg->msg_iter, seglen);
+- if (err < 0)
++ if (err < 0) {
++ rsgl->sg_num_bytes = 0;
+ return err;
++ }
+
+ /* chain the new scatterlist with previous one */
+ if (areq->last_rsgl)
--- /dev/null
+From 8d4068810d9926250dd2435719a080b889eb44c3 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Tue, 6 Mar 2018 08:57:57 -0500
+Subject: media: rc: oops in ir_timer_keyup after device unplug
+
+From: Sean Young <sean@mess.org>
+
+commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream.
+
+If there is IR in the raw kfifo when ir_raw_event_unregister() is called,
+then kthread_stop() causes ir_raw_event_thread to be scheduled, decode
+some scancodes and re-arm timer_keyup. The timer_keyup then fires when
+the rc device is long gone.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/rc-main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1824,11 +1824,11 @@ void rc_unregister_device(struct rc_dev
+ if (!dev)
+ return;
+
+- del_timer_sync(&dev->timer_keyup);
+-
+ if (dev->driver_type == RC_DRIVER_IR_RAW)
+ ir_raw_event_unregister(dev);
+
++ del_timer_sync(&dev->timer_keyup);
++
+ rc_free_rx_device(dev);
+
+ device_del(&dev->dev);
--- /dev/null
+From 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 16 Jul 2018 20:59:58 -0500
+Subject: net: cxgb3_main: fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream.
+
+t.qset_idx can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
+warn: potential spectre issue 'adapter->msix_info'
+
+Fix this by sanitizing t.qset_idx before using it to index
+adapter->msix_info
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -51,6 +51,7 @@
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+
+ #include "common.h"
+ #include "cxgb3_ioctl.h"
+@@ -2268,6 +2269,7 @@ static int cxgb_extension_ioctl(struct n
+
+ if (t.qset_idx >= nqsets)
+ return -EINVAL;
++ t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
+
+ q = &adapter->params.sge.qset[q1 + t.qset_idx];
+ t.rspq_size = q->rspq_size;
--- /dev/null
+From dea39aca1d7aef1e2b95b07edeacf04cc8863a2e Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Sun, 15 Jul 2018 21:53:20 +0200
+Subject: net: lan78xx: Fix race in tx pending skb size calculation
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit dea39aca1d7aef1e2b95b07edeacf04cc8863a2e upstream.
+
+The skb size calculation in lan78xx_tx_bh is in race with the start_xmit,
+which could lead to rare kernel oopses. So protect the whole skb walk with
+a spin lock. As a benefit we can unlink the skb directly.
+
+This patch was tested on Raspberry Pi 3B+
+
+Link: https://github.com/raspberrypi/linux/issues/2608
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/lan78xx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3197,6 +3197,7 @@ static void lan78xx_tx_bh(struct lan78xx
+ pkt_cnt = 0;
+ count = 0;
+ length = 0;
++ spin_lock_irqsave(&tqp->lock, flags);
+ for (skb = tqp->next; pkt_cnt < tqp->qlen; skb = skb->next) {
+ if (skb_is_gso(skb)) {
+ if (pkt_cnt) {
+@@ -3205,7 +3206,8 @@ static void lan78xx_tx_bh(struct lan78xx
+ }
+ count = 1;
+ length = skb->len - TX_OVERHEAD;
+- skb2 = skb_dequeue(tqp);
++ __skb_unlink(skb, tqp);
++ spin_unlock_irqrestore(&tqp->lock, flags);
+ goto gso_skb;
+ }
+
+@@ -3214,6 +3216,7 @@ static void lan78xx_tx_bh(struct lan78xx
+ skb_totallen = skb->len + roundup(skb_totallen, sizeof(u32));
+ pkt_cnt++;
+ }
++ spin_unlock_irqrestore(&tqp->lock, flags);
+
+ /* copy to a single skb */
+ skb = alloc_skb(skb_totallen, GFP_ATOMIC);
--- /dev/null
+From 12dfa2f68ab659636e092db13b5d17cf9aac82af Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Fri, 22 Jun 2018 13:31:57 +0800
+Subject: rtlwifi: Fix kernel Oops "Fw download fail!!"
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 12dfa2f68ab659636e092db13b5d17cf9aac82af upstream.
+
+When connecting to AP, mac80211 asks driver to enter and leave PS quickly,
+but driver deinit doesn't wait for delayed work complete when entering PS,
+then driver reinit procedure and delay work are running simultaneously.
+This will cause unpredictable kernel oops or crash like
+
+rtl8723be: error H2C cmd because of Fw download fail!!!
+WARNING: CPU: 3 PID: 159 at drivers/net/wireless/realtek/rtlwifi/
+ rtl8723be/fw.c:227 rtl8723be_fill_h2c_cmd+0x182/0x510 [rtl8723be]
+CPU: 3 PID: 159 Comm: kworker/3:2 Tainted: G O 4.16.13-2-ARCH #1
+Hardware name: ASUSTeK COMPUTER INC. X556UF/X556UF, BIOS X556UF.406
+ 10/21/2016
+Workqueue: rtl8723be_pci rtl_c2hcmd_wq_callback [rtlwifi]
+RIP: 0010:rtl8723be_fill_h2c_cmd+0x182/0x510 [rtl8723be]
+RSP: 0018:ffffa6ab01e1bd70 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffffa26069071520 RCX: 0000000000000001
+RDX: 0000000080000001 RSI: ffffffff8be70e9c RDI: 00000000ffffffff
+RBP: 0000000000000000 R08: 0000000000000048 R09: 0000000000000348
+R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+R13: ffffa26069071520 R14: 0000000000000000 R15: ffffa2607d205f70
+FS: 0000000000000000(0000) GS:ffffa26081d80000(0000) knlGS:000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000443b39d3000 CR3: 000000037700a005 CR4: 00000000003606e0
+Call Trace:
+ ? halbtc_send_bt_mp_operation.constprop.17+0xd5/0xe0 [btcoexist]
+ ? ex_btc8723b1ant_bt_info_notify+0x3b8/0x820 [btcoexist]
+ ? rtl_c2hcmd_launcher+0xab/0x110 [rtlwifi]
+ ? process_one_work+0x1d1/0x3b0
+ ? worker_thread+0x2b/0x3d0
+ ? process_one_work+0x3b0/0x3b0
+ ? kthread+0x112/0x130
+ ? kthread_create_on_node+0x60/0x60
+ ? ret_from_fork+0x35/0x40
+Code: 00 76 b4 e9 e2 fe ff ff 4c 89 ee 4c 89 e7 e8 56 22 86 ca e9 5e ...
+
+This patch ensures all delayed works done before entering PS to satisfy
+our expectation, so use cancel_delayed_work_sync() instead. An exception
+is delayed work ips_nic_off_wq because running task may be itself, so add
+a parameter ips_wq to deinit function to handle this case.
+
+This issue is reported and fixed in below threads:
+https://github.com/lwfinger/rtlwifi_new/issues/367
+https://github.com/lwfinger/rtlwifi_new/issues/366
+
+Tested-by: Evgeny Kapun <abacabadabacaba@gmail.com> # 8723DE
+Tested-by: Shivam Kakkar <shivam543@gmail.com> # 8723BE on 4.18-rc1
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Fixes: cceb0a597320 ("rtlwifi: Add work queue for c2h cmd.")
+Cc: Stable <stable@vger.kernel.org> # 4.11+
+Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 17 ++++++++++-------
+ drivers/net/wireless/realtek/rtlwifi/base.h | 2 +-
+ drivers/net/wireless/realtek/rtlwifi/core.c | 2 +-
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 2 +-
+ drivers/net/wireless/realtek/rtlwifi/ps.c | 4 ++--
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 2 +-
+ 6 files changed, 16 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -483,18 +483,21 @@ static void _rtl_init_deferred_work(stru
+
+ }
+
+-void rtl_deinit_deferred_work(struct ieee80211_hw *hw)
++void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq)
+ {
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+
+ del_timer_sync(&rtlpriv->works.watchdog_timer);
+
+- cancel_delayed_work(&rtlpriv->works.watchdog_wq);
+- cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq);
+- cancel_delayed_work(&rtlpriv->works.ps_work);
+- cancel_delayed_work(&rtlpriv->works.ps_rfon_wq);
+- cancel_delayed_work(&rtlpriv->works.fwevt_wq);
+- cancel_delayed_work(&rtlpriv->works.c2hcmd_wq);
++ cancel_delayed_work_sync(&rtlpriv->works.watchdog_wq);
++ if (ips_wq)
++ cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq);
++ else
++ cancel_delayed_work_sync(&rtlpriv->works.ips_nic_off_wq);
++ cancel_delayed_work_sync(&rtlpriv->works.ps_work);
++ cancel_delayed_work_sync(&rtlpriv->works.ps_rfon_wq);
++ cancel_delayed_work_sync(&rtlpriv->works.fwevt_wq);
++ cancel_delayed_work_sync(&rtlpriv->works.c2hcmd_wq);
+ }
+ EXPORT_SYMBOL_GPL(rtl_deinit_deferred_work);
+
+--- a/drivers/net/wireless/realtek/rtlwifi/base.h
++++ b/drivers/net/wireless/realtek/rtlwifi/base.h
+@@ -121,7 +121,7 @@ void rtl_init_rfkill(struct ieee80211_hw
+ void rtl_deinit_rfkill(struct ieee80211_hw *hw);
+
+ void rtl_watch_dog_timer_callback(unsigned long data);
+-void rtl_deinit_deferred_work(struct ieee80211_hw *hw);
++void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq);
+
+ bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx);
+ int rtlwifi_rate_mapping(struct ieee80211_hw *hw, bool isht,
+--- a/drivers/net/wireless/realtek/rtlwifi/core.c
++++ b/drivers/net/wireless/realtek/rtlwifi/core.c
+@@ -196,7 +196,7 @@ static void rtl_op_stop(struct ieee80211
+ /* reset sec info */
+ rtl_cam_reset_sec_info(hw);
+
+- rtl_deinit_deferred_work(hw);
++ rtl_deinit_deferred_work(hw, false);
+ }
+ rtlpriv->intf_ops->adapter_stop(hw);
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -2359,7 +2359,7 @@ void rtl_pci_disconnect(struct pci_dev *
+ ieee80211_unregister_hw(hw);
+ rtlmac->mac80211_registered = 0;
+ } else {
+- rtl_deinit_deferred_work(hw);
++ rtl_deinit_deferred_work(hw, false);
+ rtlpriv->intf_ops->adapter_stop(hw);
+ }
+ rtlpriv->cfg->ops->disable_interrupt(hw);
+--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
+@@ -66,7 +66,7 @@ bool rtl_ps_disable_nic(struct ieee80211
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+
+ /*<1> Stop all timer */
+- rtl_deinit_deferred_work(hw);
++ rtl_deinit_deferred_work(hw, true);
+
+ /*<2> Disable Interrupt */
+ rtlpriv->cfg->ops->disable_interrupt(hw);
+@@ -287,7 +287,7 @@ void rtl_ips_nic_on(struct ieee80211_hw
+ struct rtl_ps_ctl *ppsc = rtl_psc(rtl_priv(hw));
+ enum rf_pwrstate rtstate;
+
+- cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq);
++ cancel_delayed_work_sync(&rtlpriv->works.ips_nic_off_wq);
+
+ spin_lock(&rtlpriv->locks.ips_lock);
+ if (ppsc->inactiveps) {
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1150,7 +1150,7 @@ void rtl_usb_disconnect(struct usb_inter
+ ieee80211_unregister_hw(hw);
+ rtlmac->mac80211_registered = 0;
+ } else {
+- rtl_deinit_deferred_work(hw);
++ rtl_deinit_deferred_work(hw, false);
+ rtlpriv->intf_ops->adapter_stop(hw);
+ }
+ /*deinit rfkill */
--- /dev/null
+From 9a98302de19991d51e067b88750585203b2a3ab6 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Thu, 28 Jun 2018 10:02:27 +0800
+Subject: rtlwifi: rtl8821ae: fix firmware is not ready to run
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 9a98302de19991d51e067b88750585203b2a3ab6 upstream.
+
+Without this patch, firmware will not run properly on rtl8821ae, and it
+causes bad user experience. For example, bad connection performance with
+low rate, higher power consumption, and so on.
+
+rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and
+each firmware has firmware data buffer and size individually. Original
+code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and
+this mismatch causes firmware checksum error, then firmware can't start.
+
+In this situation, driver gives message "Firmware is not ready to run!".
+
+Fixes: fe89707f0afa ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Stable <stable@vger.kernel.org> # 4.0+
+Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/core.c
++++ b/drivers/net/wireless/realtek/rtlwifi/core.c
+@@ -130,7 +130,6 @@ found_alt:
+ firmware->size);
+ rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
+ }
+- rtlpriv->rtlhal.fwsize = firmware->size;
+ release_firmware(firmware);
+ }
+
tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch
vhost_net-validate-sock-before-trying-to-put-its-fd.patch
vsock-fix-loopback-on-big-endian-systems.patch
+net-cxgb3_main-fix-potential-spectre-v1.patch
+rtlwifi-fix-kernel-oops-fw-download-fail.patch
+rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch
+net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
+xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch
+media-rc-oops-in-ir_timer_keyup-after-device-unplug.patch
+clocksource-initialize-cs-wd_list.patch
+crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch
--- /dev/null
+From 2278446e2b7cd33ad894b32e7eb63afc7db6c86e Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 14 May 2018 11:57:23 +0300
+Subject: xhci: Fix USB3 NULL pointer dereference at logical disconnect.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 2278446e2b7cd33ad894b32e7eb63afc7db6c86e upstream.
+
+Hub driver will try to disable a USB3 device twice at logical disconnect,
+racing with xhci_free_dev() callback from the first port disable.
+
+This can be triggered with "udisksctl power-off --block-device <disk>"
+or by writing "1" to the "remove" sysfs file for a USB3 device
+in 4.17-rc4.
+
+USB3 devices don't have a similar disabled link state as USB2 devices,
+and use a U3 suspended link state instead. In this state the port
+is still enabled and connected.
+
+hub_port_connect() first disconnects the device, then later it notices
+that device is still enabled (due to U3 states) it will try to disable
+the port again (set to U3).
+
+The xhci_free_dev() called during device disable is async, so checking
+for existing xhci->devs[i] when setting link state to U3 the second time
+was successful, even if device was being freed.
+
+The regression was caused by, and whole thing revealed by,
+Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device")
+which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned.
+and causes a NULL pointer dereference the second time we try to set U3.
+
+Fix this by checking xhci->devs[i]->udev exists before setting link state.
+
+The original patch went to stable so this fix needs to be applied there as
+well.
+
+Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device")
+Cc: <stable@vger.kernel.org>
+Reported-by: Jordan Glover <Golden_Miller83@protonmail.ch>
+Tested-by: Jordan Glover <Golden_Miller83@protonmail.ch>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -366,7 +366,7 @@ int xhci_find_slot_id_by_port(struct usb
+
+ slot_id = 0;
+ for (i = 0; i < MAX_HC_SLOTS; i++) {
+- if (!xhci->devs[i])
++ if (!xhci->devs[i] || !xhci->devs[i]->udev)
+ continue;
+ speed = xhci->devs[i]->udev->speed;
+ if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3))
projects / thirdparty / kernel / stable-queue.git / commitdiff
