powerpc-jprobes-disable-preemption-when-triggered-through-ftrace.patch
powerpc-kprobes-disable-preemption-before-invoking-probe-handler-for-optprobes.patch
dma-buf-sw_sync-force-signal-all-unsignaled-fences-on-dying-timeline.patch
+staging-ccree-fix-leak-of-import-after-init.patch
+usb-hub-cycle-hub-power-when-initialization-fails.patch
+usb-ulpi-fix-bus-node-lookup.patch
+xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch
+usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch
+usb-core-add-type-specific-length-check-of-bos-descriptors.patch
+usb-usbfs-filter-flags-passed-in-from-user-space.patch
+usb-host-fix-incorrect-updating-of-offset.patch
--- /dev/null
+From c5f39d07860c35e5e4c63188139465af790f86ce Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Thu, 9 Nov 2017 09:16:09 +0000
+Subject: staging: ccree: fix leak of import() after init()
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit c5f39d07860c35e5e4c63188139465af790f86ce upstream.
+
+crypto_ahash_import() may be called either after
+crypto_ahash_init() or without such call. Right now
+we always internally call init() as part of
+import(), thus leaking memory and mappings if the
+user has already called init() herself.
+
+Fix this by only calling init() internally if the
+state is not already initialized.
+
+Fixes: commit 454527d0d94f ("staging: ccree: fix hash import/export")
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/ccree/ssi_hash.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/ccree/ssi_hash.c
++++ b/drivers/staging/ccree/ssi_hash.c
+@@ -1790,9 +1790,12 @@ static int ssi_ahash_import(struct ahash
+ }
+ in += sizeof(u32);
+
+- rc = ssi_hash_init(state, ctx);
+- if (rc)
+- goto out;
++ /* call init() to allocate bufs if the user hasn't */
++ if (!state->digest_buff) {
++ rc = ssi_hash_init(state, ctx);
++ if (rc)
++ goto out;
++ }
+
+ dma_sync_single_for_cpu(dev, state->digest_buff_dma_addr,
+ ctx->inter_digestsize, DMA_BIDIRECTIONAL);
--- /dev/null
+From 81cf4a45360f70528f1f64ba018d61cb5767249a Mon Sep 17 00:00:00 2001
+From: Masakazu Mokuno <masakazu.mokuno@gmail.com>
+Date: Fri, 10 Nov 2017 01:25:50 +0900
+Subject: USB: core: Add type-specific length check of BOS descriptors
+
+From: Masakazu Mokuno <masakazu.mokuno@gmail.com>
+
+commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream.
+
+As most of BOS descriptors are longer in length than their header
+'struct usb_dev_cap_header', comparing solely with it is not sufficient
+to avoid out-of-bounds access to BOS descriptors.
+
+This patch adds descriptor type specific length check in
+usb_get_bos_descriptor() to fix the issue.
+
+Signed-off-by: Masakazu Mokuno <masakazu.mokuno@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 28 ++++++++++++++++++++++++----
+ include/uapi/linux/usb/ch9.h | 3 +++
+ 2 files changed, 27 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -905,14 +905,25 @@ void usb_release_bos_descriptor(struct u
+ }
+ }
+
++static const __u8 bos_desc_len[256] = {
++ [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE,
++ [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE,
++ [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE,
++ [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(1),
++ [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE,
++ [USB_PTM_CAP_TYPE] = USB_DT_USB_PTM_ID_SIZE,
++};
++
+ /* Get BOS descriptor set */
+ int usb_get_bos_descriptor(struct usb_device *dev)
+ {
+ struct device *ddev = &dev->dev;
+ struct usb_bos_descriptor *bos;
+ struct usb_dev_cap_header *cap;
++ struct usb_ssp_cap_descriptor *ssp_cap;
+ unsigned char *buffer;
+- int length, total_len, num, i;
++ int length, total_len, num, i, ssac;
++ __u8 cap_type;
+ int ret;
+
+ bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL);
+@@ -965,7 +976,13 @@ int usb_get_bos_descriptor(struct usb_de
+ dev->bos->desc->bNumDeviceCaps = i;
+ break;
+ }
++ cap_type = cap->bDevCapabilityType;
+ length = cap->bLength;
++ if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) {
++ dev->bos->desc->bNumDeviceCaps = i;
++ break;
++ }
++
+ total_len -= length;
+
+ if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
+@@ -973,7 +990,7 @@ int usb_get_bos_descriptor(struct usb_de
+ continue;
+ }
+
+- switch (cap->bDevCapabilityType) {
++ switch (cap_type) {
+ case USB_CAP_TYPE_WIRELESS_USB:
+ /* Wireless USB cap descriptor is handled by wusb */
+ break;
+@@ -986,8 +1003,11 @@ int usb_get_bos_descriptor(struct usb_de
+ (struct usb_ss_cap_descriptor *)buffer;
+ break;
+ case USB_SSP_CAP_TYPE:
+- dev->bos->ssp_cap =
+- (struct usb_ssp_cap_descriptor *)buffer;
++ ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
++ ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
++ USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
++ if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
++ dev->bos->ssp_cap = ssp_cap;
+ break;
+ case CONTAINER_ID_TYPE:
+ dev->bos->ss_id =
+--- a/include/uapi/linux/usb/ch9.h
++++ b/include/uapi/linux/usb/ch9.h
+@@ -876,6 +876,8 @@ struct usb_wireless_cap_descriptor { /*
+ __u8 bReserved;
+ } __attribute__((packed));
+
++#define USB_DT_USB_WIRELESS_CAP_SIZE 11
++
+ /* USB 2.0 Extension descriptor */
+ #define USB_CAP_TYPE_EXT 2
+
+@@ -1068,6 +1070,7 @@ struct usb_ptm_cap_descriptor {
+ __u8 bDevCapabilityType;
+ } __attribute__((packed));
+
++#define USB_DT_USB_PTM_ID_SIZE 3
+ /*
+ * The size of the descriptor for the Sublink Speed Attribute Count
+ * (SSAC) specified in bmAttributes[4:0].
--- /dev/null
+From 1d5a31582ef046d3b233f0da1a68ae26519b2f0a Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 7 Nov 2017 16:45:04 +0000
+Subject: usb: host: fix incorrect updating of offset
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream.
+
+The variable temp is incorrectly being updated, instead it should
+be offset otherwise the loop just reads the same capability value
+and loops forever. Thanks to Alan Stern for pointing out the
+correct fix to my original fix. Fix also cleans up clang warning:
+
+drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp'
+is never read
+
+Fixes: d49d43174400 ("USB: misc ehci updates")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-dbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ehci-dbg.c
++++ b/drivers/usb/host/ehci-dbg.c
+@@ -837,7 +837,7 @@ static ssize_t fill_registers_buffer(str
+ default: /* unknown */
+ break;
+ }
+- temp = (cap >> 8) & 0xff;
++ offset = (cap >> 8) & 0xff;
+ }
+ }
+ #endif
--- /dev/null
+From 973593a960ddac0f14f0d8877d2d0abe0afda795 Mon Sep 17 00:00:00 2001
+From: Mike Looijmans <mike.looijmans@topic.nl>
+Date: Thu, 9 Nov 2017 13:16:46 +0100
+Subject: usb: hub: Cycle HUB power when initialization fails
+
+From: Mike Looijmans <mike.looijmans@topic.nl>
+
+commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream.
+
+Sometimes the USB device gets confused about the state of the initialization and
+the connection fails. In particular, the device thinks that it's already set up
+and running while the host thinks the device still needs to be configured. To
+work around this issue, power-cycle the hub's output to issue a sort of "reset"
+to the device. This makes the device restart its state machine and then the
+initialization succeeds.
+
+This fixes problems where the kernel reports a list of errors like this:
+
+usb 1-1.3: device not accepting address 19, error -71
+
+The end result is a non-functioning device. After this patch, the sequence
+becomes like this:
+
+usb 1-1.3: new high-speed USB device number 18 using ci_hdrc
+usb 1-1.3: device not accepting address 18, error -71
+usb 1-1.3: new high-speed USB device number 19 using ci_hdrc
+usb 1-1.3: device not accepting address 19, error -71
+usb 1-1-port3: attempt power cycle
+usb 1-1.3: new high-speed USB device number 21 using ci_hdrc
+usb-storage 1-1.3:1.2: USB Mass Storage device detected
+
+Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -4935,6 +4935,15 @@ loop:
+ usb_put_dev(udev);
+ if ((status == -ENOTCONN) || (status == -ENOTSUPP))
+ break;
++
++ /* When halfway through our retry count, power-cycle the port */
++ if (i == (SET_CONFIG_TRIES / 2) - 1) {
++ dev_info(&port_dev->dev, "attempt power cycle\n");
++ usb_hub_set_port_power(hdev, hub, port1, false);
++ msleep(2 * hub_power_on_good_delay(hub));
++ usb_hub_set_port_power(hdev, hub, port1, true);
++ msleep(hub_power_on_good_delay(hub));
++ }
+ }
+ if (hub->hdev->parent ||
+ !hcd->driver->port_handed_over ||
--- /dev/null
+From 33c309ebc797b908029fd3a0851aefe697e9b598 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sat, 11 Nov 2017 16:31:18 +0100
+Subject: USB: ulpi: fix bus-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 33c309ebc797b908029fd3a0851aefe697e9b598 upstream.
+
+Fix bus-node lookup during registration, which ended up searching the whole
+device tree depth-first starting at the parent (or grand parent) rather
+than just matching on its children.
+
+To make things worse, the parent (or grand-parent) node could end being
+prematurely freed as well.
+
+Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Reported-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/common/ulpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -183,9 +183,9 @@ static int ulpi_of_register(struct ulpi
+ /* Find a ulpi bus underneath the parent or the grandparent */
+ parent = ulpi->dev.parent;
+ if (parent->of_node)
+- np = of_find_node_by_name(parent->of_node, "ulpi");
++ np = of_get_child_by_name(parent->of_node, "ulpi");
+ else if (parent->parent && parent->parent->of_node)
+- np = of_find_node_by_name(parent->parent->of_node, "ulpi");
++ np = of_get_child_by_name(parent->parent->of_node, "ulpi");
+ if (!np)
+ return 0;
+
--- /dev/null
+From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 23 Nov 2017 16:39:52 +0100
+Subject: USB: usbfs: Filter flags passed in from user space
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 446f666da9f019ce2ffd03800995487e79a91462 upstream.
+
+USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
+Improve sanity checking.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1455,14 +1455,18 @@ static int proc_do_submiturb(struct usb_
+ int number_of_packets = 0;
+ unsigned int stream_id = 0;
+ void *buf;
+-
+- if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
+- USBDEVFS_URB_SHORT_NOT_OK |
++ unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK |
+ USBDEVFS_URB_BULK_CONTINUATION |
+ USBDEVFS_URB_NO_FSBR |
+ USBDEVFS_URB_ZERO_PACKET |
+- USBDEVFS_URB_NO_INTERRUPT))
+- return -EINVAL;
++ USBDEVFS_URB_NO_INTERRUPT;
++ /* USBDEVFS_URB_ISO_ASAP is a special case */
++ if (uurb->type == USBDEVFS_URB_TYPE_ISO)
++ mask |= USBDEVFS_URB_ISO_ASAP;
++
++ if (uurb->flags & ~mask)
++ return -EINVAL;
++
+ if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
+ return -EINVAL;
+ if (uurb->buffer_length > 0 && !uurb->buffer)
--- /dev/null
+From 80e457699a8dbdd70f2d26911e46f538645c55fc Mon Sep 17 00:00:00 2001
+From: Yu Chen <chenyu56@huawei.com>
+Date: Fri, 1 Dec 2017 13:41:20 +0200
+Subject: usb: xhci: fix panic in xhci_free_virt_devices_depth_first
+
+From: Yu Chen <chenyu56@huawei.com>
+
+commit 80e457699a8dbdd70f2d26911e46f538645c55fc upstream.
+
+Check vdev->real_port 0 to avoid panic
+[ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108
+[ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570
+[ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8
+[ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0
+[ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8
+[ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70
+[ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108
+[ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40
+[ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120
+[ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210
+[ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0
+[ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488
+[ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8
+[ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490
+[ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0
+[ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100
+[ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50
+
+The problem can occur if xhci_plat_remove() is called shortly after
+xhci_plat_probe(). While xhci_free_virt_devices_depth_first been
+called before the device has been setup and get real_port initialized.
+The problem occurred on Hikey960 and was reproduced by Guenter Roeck
+on Kevin with chromeos-4.4.
+
+Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first")
+Cc: Guenter Roeck <groeck@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Fan Ning <fanning4@hisilicon.com>
+Signed-off-by: Li Rui <lirui39@hisilicon.com>
+Signed-off-by: yangdi <yangdi10@hisilicon.com>
+Signed-off-by: Yu Chen <chenyu56@huawei.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -947,6 +947,12 @@ void xhci_free_virt_devices_depth_first(
+ if (!vdev)
+ return;
+
++ if (vdev->real_port == 0 ||
++ vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) {
++ xhci_dbg(xhci, "Bad vdev->real_port.\n");
++ goto out;
++ }
++
+ tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts);
+ list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) {
+ /* is this a hub device that added a tt_info to the tts list */
+@@ -960,6 +966,7 @@ void xhci_free_virt_devices_depth_first(
+ }
+ }
+ }
++out:
+ /* we are now at a leaf device */
+ xhci_free_virt_device(xhci, slot_id);
+ }
--- /dev/null
+From e4ec40ec4b260efcca15089de4285a0a3411259b Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 1 Dec 2017 13:41:19 +0200
+Subject: xhci: Don't show incorrect WARN message about events for empty rings
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit e4ec40ec4b260efcca15089de4285a0a3411259b upstream.
+
+xHC can generate two events for a short transfer if the short TRB and
+last TRB in the TD are not the same TRB.
+
+The driver will handle the TD after the first short event, and remove
+it from its internal list. Driver then incorrectly prints a warning
+for the second event:
+
+"WARN Event TRB for slot x ep y with no TDs queued"
+
+Fix this by not printing a warning if we get a event on a empty list
+if the previous event was a short event.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2486,12 +2486,16 @@ static int handle_tx_event(struct xhci_h
+ */
+ if (list_empty(&ep_ring->td_list)) {
+ /*
+- * A stopped endpoint may generate an extra completion
+- * event if the device was suspended. Don't print
+- * warnings.
++ * Don't print wanings if it's due to a stopped endpoint
++ * generating an extra completion event if the device
++ * was suspended. Or, a event for the last TRB of a
++ * short TD we already got a short event for.
++ * The short TD is already removed from the TD list.
+ */
++
+ if (!(trb_comp_code == COMP_STOPPED ||
+- trb_comp_code == COMP_STOPPED_LENGTH_INVALID)) {
++ trb_comp_code == COMP_STOPPED_LENGTH_INVALID ||
++ ep_ring->last_td_was_short)) {
+ xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n",
+ TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
+ ep_index);
projects / thirdparty / kernel / stable-queue.git / commitdiff
