bpf-array-fix-overflow-in-max_entries-and-undefined-behavior-in-index_mask.patch
iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch
target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch
+usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
+usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
+usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
+usb-fix-usbmon-bug-trigger.patch
+usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
+staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
--- /dev/null
+From 443064cb0b1fb4569fe0a71209da7625129fb760 Mon Sep 17 00:00:00 2001
+From: Viktor Slavkovic <viktors@google.com>
+Date: Mon, 8 Jan 2018 10:43:03 -0800
+Subject: staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
+
+From: Viktor Slavkovic <viktors@google.com>
+
+commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.
+
+A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
+race condition when mmap is called. After the !asma->file check, before
+setting asma->size, asma->file can be set in mmap. That would result in
+having different asma->size than the mapped memory size. Combined with
+ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
+corruption.
+
+Signed-off-by: Viktor Slavkovic <viktors@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -759,10 +759,12 @@ static long ashmem_ioctl(struct file *fi
+ break;
+ case ASHMEM_SET_SIZE:
+ ret = -EINVAL;
++ mutex_lock(&ashmem_mutex);
+ if (!asma->file) {
+ ret = 0;
+ asma->size = (size_t)arg;
+ }
++ mutex_unlock(&ashmem_mutex);
+ break;
+ case ASHMEM_GET_SIZE:
+ ret = asma->size;
--- /dev/null
+From 46eb14a6e1585d99c1b9f58d0e7389082a5f466b Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@redhat.com>
+Date: Mon, 8 Jan 2018 15:46:41 -0600
+Subject: USB: fix usbmon BUG trigger
+
+From: Pete Zaitcev <zaitcev@redhat.com>
+
+commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream.
+
+Automated tests triggered this by opening usbmon and accessing the
+mmap while simultaneously resizing the buffers. This bug was with
+us since 2006, because typically applications only size the buffers
+once and thus avoid racing. Reported by Kirill A. Shutemov.
+
+Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_bin.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1001,7 +1001,9 @@ static long mon_bin_ioctl(struct file *f
+ break;
+
+ case MON_IOCQ_RING_SIZE:
++ mutex_lock(&rp->fetch_lock);
+ ret = rp->b_size;
++ mutex_unlock(&rp->fetch_lock);
+ break;
+
+ case MON_IOCT_RING_SIZE:
+@@ -1228,12 +1230,16 @@ static int mon_bin_vma_fault(struct vm_a
+ unsigned long offset, chunk_idx;
+ struct page *pageptr;
+
++ mutex_lock(&rp->fetch_lock);
+ offset = vmf->pgoff << PAGE_SHIFT;
+- if (offset >= rp->b_size)
++ if (offset >= rp->b_size) {
++ mutex_unlock(&rp->fetch_lock);
+ return VM_FAULT_SIGBUS;
++ }
+ chunk_idx = offset / CHUNK_SIZE;
+ pageptr = rp->b_vec[chunk_idx].pg;
+ get_page(pageptr);
++ mutex_unlock(&rp->fetch_lock);
+ vmf->page = pageptr;
+ return 0;
+ }
--- /dev/null
+From b8626f1dc29d3eee444bfaa92146ec7b291ef41c Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Thu, 11 Jan 2018 14:47:40 +0100
+Subject: usb: misc: usb3503: make sure reset is low for at least 100us
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit b8626f1dc29d3eee444bfaa92146ec7b291ef41c upstream.
+
+When using a GPIO which is high by default, and initialize the
+driver in USB Hub mode, initialization fails with:
+ [ 111.757794] usb3503 0-0008: SP_ILOCK failed (-5)
+
+The reason seems to be that the chip is not properly reset.
+Probe does initialize reset low, however some lines later the
+code already set it back high, which is not long enouth.
+
+Make sure reset is asserted for at least 100us by inserting a
+delay after initializing the reset pin during probe.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usb3503.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/misc/usb3503.c
++++ b/drivers/usb/misc/usb3503.c
+@@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503
+ if (gpio_is_valid(hub->gpio_reset)) {
+ err = devm_gpio_request_one(dev, hub->gpio_reset,
+ GPIOF_OUT_INIT_LOW, "usb3503 reset");
++ /* Datasheet defines a hardware reset to be at least 100us */
++ usleep_range(100, 10000);
+ if (err) {
+ dev_err(dev,
+ "unable to request GPIO %d as reset pin (%d)\n",
--- /dev/null
+From 4307413256ac1e09b8f53e8715af3df9e49beec3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@flameeyes.eu>
+Date: Fri, 29 Dec 2017 09:54:25 +0000
+Subject: USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+
+commit 4307413256ac1e09b8f53e8715af3df9e49beec3 upstream.
+
+Add IDs for the OneTouch Verio IQ that comes with an embedded
+USB-to-serial converter.
+
+Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -120,6 +120,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
+ { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
+ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
++ { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
+ { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
+ { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
+ { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
--- /dev/null
+From d14ac576d10f865970bb1324d337e5e24d79aaf4 Mon Sep 17 00:00:00 2001
+From: Christian Holl <cyborgx1@gmail.com>
+Date: Wed, 3 Jan 2018 19:53:02 +0100
+Subject: USB: serial: cp210x: add new device ID ELV ALC 8xxx
+
+From: Christian Holl <cyborgx1@gmail.com>
+
+commit d14ac576d10f865970bb1324d337e5e24d79aaf4 upstream.
+
+This adds the ELV ALC 8xxx Battery Charging device
+to the list of USB IDs of drivers/usb/serial/cp210x.c
+
+Signed-off-by: Christian Holl <cyborgx1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -171,6 +171,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
+ { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
++ { USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
+ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
--- /dev/null
+From e1346fd87c71a1f61de1fe476ec8df1425ac931c Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 17:00:06 -0700
+Subject: usbip: remove kernel addresses from usb device and urb debug msgs
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit e1346fd87c71a1f61de1fe476ec8df1425ac931c upstream.
+
+usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
+Remove kernel addresses from usb device and urb debug msgs and improve
+the message content.
+
+Instead of printing parent device and bus addresses, print parent device
+and bus names.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/usbip_common.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/usbip/usbip_common.c
++++ b/drivers/usb/usbip/usbip_common.c
+@@ -103,7 +103,7 @@ static void usbip_dump_usb_device(struct
+ dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)",
+ udev->devnum, udev->devpath, usb_speed_string(udev->speed));
+
+- pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
++ pr_debug("tt hub ttport %d\n", udev->ttport);
+
+ dev_dbg(dev, " ");
+ for (i = 0; i < 16; i++)
+@@ -136,12 +136,8 @@ static void usbip_dump_usb_device(struct
+ }
+ pr_debug("\n");
+
+- dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
+-
+- dev_dbg(dev,
+- "descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
+- &udev->descriptor, udev->config,
+- udev->actconfig, udev->rawdescriptors);
++ dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
++ udev->bus->bus_name);
+
+ dev_dbg(dev, "have_langid %d, string_langid %d\n",
+ udev->have_langid, udev->string_langid);
+@@ -249,9 +245,6 @@ void usbip_dump_urb(struct urb *urb)
+
+ dev = &urb->dev->dev;
+
+- dev_dbg(dev, " urb :%p\n", urb);
+- dev_dbg(dev, " dev :%p\n", urb->dev);
+-
+ usbip_dump_usb_device(urb->dev);
+
+ dev_dbg(dev, " pipe :%08x ", urb->pipe);
+@@ -260,11 +253,9 @@ void usbip_dump_urb(struct urb *urb)
+
+ dev_dbg(dev, " status :%d\n", urb->status);
+ dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags);
+- dev_dbg(dev, " transfer_buffer :%p\n", urb->transfer_buffer);
+ dev_dbg(dev, " transfer_buffer_length:%d\n",
+ urb->transfer_buffer_length);
+ dev_dbg(dev, " actual_length :%d\n", urb->actual_length);
+- dev_dbg(dev, " setup_packet :%p\n", urb->setup_packet);
+
+ if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
+ usbip_dump_usb_ctrlrequest(
+@@ -274,8 +265,6 @@ void usbip_dump_urb(struct urb *urb)
+ dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets);
+ dev_dbg(dev, " interval :%d\n", urb->interval);
+ dev_dbg(dev, " error_count :%d\n", urb->error_count);
+- dev_dbg(dev, " context :%p\n", urb->context);
+- dev_dbg(dev, " complete :%p\n", urb->complete);
+ }
+ EXPORT_SYMBOL_GPL(usbip_dump_urb);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
