--- /dev/null
+From d623500b3c4efd8d4e945ac9003c6b87b469a9ab Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Thu, 20 Sep 2018 12:59:05 -0700
+Subject: IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit d623500b3c4efd8d4e945ac9003c6b87b469a9ab upstream.
+
+If a packet stream uses an UnsupportedVL (virtual lane), the send
+engine will not send the packet, and it will not indicate that an
+error has occurred. This will cause the packet stream to block.
+
+HFI has 8 virtual lanes available for packet streams. Each lane can
+be enabled or disabled using the UnsupportedVL mask. If a lane is
+disabled, adding a packet to the send context must be disallowed.
+
+The current mask for determining unsupported VLs defaults to 0 (allow
+all). This is incorrect. Only the VLs that are defined should be
+allowed.
+
+Determine which VLs are disabled (mtu == 0), and set the appropriate
+unsupported bit in the mask. The correct mask will allow the send
+engine to error on the invalid VL, and error recovery will work
+correctly.
+
+Cc: <stable@vger.kernel.org> # 4.9.x+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/pio.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/pio.c
++++ b/drivers/infiniband/hw/hfi1/pio.c
+@@ -86,6 +86,7 @@ void pio_send_control(struct hfi1_devdat
+ unsigned long flags;
+ int write = 1; /* write sendctrl back */
+ int flush = 0; /* re-read sendctrl to make sure it is flushed */
++ int i;
+
+ spin_lock_irqsave(&dd->sendctrl_lock, flags);
+
+@@ -95,9 +96,13 @@ void pio_send_control(struct hfi1_devdat
+ reg |= SEND_CTRL_SEND_ENABLE_SMASK;
+ /* Fall through */
+ case PSC_DATA_VL_ENABLE:
++ mask = 0;
++ for (i = 0; i < ARRAY_SIZE(dd->vld); i++)
++ if (!dd->vld[i].mtu)
++ mask |= BIT_ULL(i);
+ /* Disallow sending on VLs not enabled */
+- mask = (((~0ull) << num_vls) & SEND_CTRL_UNSUPPORTED_VL_MASK) <<
+- SEND_CTRL_UNSUPPORTED_VL_SHIFT;
++ mask = (mask & SEND_CTRL_UNSUPPORTED_VL_MASK) <<
++ SEND_CTRL_UNSUPPORTED_VL_SHIFT;
+ reg = (reg & ~SEND_CTRL_UNSUPPORTED_VL_SMASK) | mask;
+ break;
+ case PSC_GLOBAL_DISABLE:
--- /dev/null
+From 0dbfaa9f2813787679e296eb5476e40938ab48c8 Mon Sep 17 00:00:00 2001
+From: Ira Weiny <ira.weiny@intel.com>
+Date: Thu, 20 Sep 2018 12:58:46 -0700
+Subject: IB/hfi1: Fix SL array bounds check
+
+From: Ira Weiny <ira.weiny@intel.com>
+
+commit 0dbfaa9f2813787679e296eb5476e40938ab48c8 upstream.
+
+The SL specified by a user needs to be a valid SL.
+
+Add a range check to the user specified SL value which protects from
+running off the end of the SL to SC table.
+
+CC: stable@vger.kernel.org
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -1573,6 +1573,7 @@ static int hfi1_check_ah(struct ib_devic
+ struct hfi1_pportdata *ppd;
+ struct hfi1_devdata *dd;
+ u8 sc5;
++ u8 sl;
+
+ if (hfi1_check_mcast(rdma_ah_get_dlid(ah_attr)) &&
+ !(rdma_ah_get_ah_flags(ah_attr) & IB_AH_GRH))
+@@ -1581,8 +1582,13 @@ static int hfi1_check_ah(struct ib_devic
+ /* test the mapping for validity */
+ ibp = to_iport(ibdev, rdma_ah_get_port_num(ah_attr));
+ ppd = ppd_from_ibp(ibp);
+- sc5 = ibp->sl_to_sc[rdma_ah_get_sl(ah_attr)];
+ dd = dd_from_ppd(ppd);
++
++ sl = rdma_ah_get_sl(ah_attr);
++ if (sl >= ARRAY_SIZE(ibp->sl_to_sc))
++ return -EINVAL;
++
++ sc5 = ibp->sl_to_sc[sl];
+ if (sc_to_vlt(dd, sc5) > num_vls && sc_to_vlt(dd, sc5) != 0xf)
+ return -EINVAL;
+ return 0;
--- /dev/null
+From 94694d18cf27a6faad91487a38ce516c2b16e7d9 Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Thu, 20 Sep 2018 12:58:56 -0700
+Subject: IB/hfi1: Invalid user input can result in crash
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit 94694d18cf27a6faad91487a38ce516c2b16e7d9 upstream.
+
+If the number of packets in a user sdma request does not match
+the actual iovectors being sent, sdma_cleanup can be called on
+an uninitialized request structure, resulting in a crash similar
+to this:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+IP: [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0 [hfi1]
+PGD 8000001044f61067 PUD 1052706067 PMD 0
+Oops: 0000 [#1] SMP
+CPU: 30 PID: 69912 Comm: upsm Kdump: loaded Tainted: G OE
+------------ 3.10.0-862.el7.x86_64 #1
+Hardware name: Intel Corporation S2600KPR/S2600KPR, BIOS
+SE5C610.86B.01.01.0019.101220160604 10/12/2016
+task: ffff8b331c890000 ti: ffff8b2ed1f98000 task.ti: ffff8b2ed1f98000
+RIP: 0010:[<ffffffffc0ae8bb7>] [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0
+[hfi1]
+RSP: 0018:ffff8b2ed1f9bab0 EFLAGS: 00010286
+RAX: 0000000000008b2b RBX: ffff8b2adf6e0000 RCX: 0000000000000000
+RDX: 00000000000000a0 RSI: ffff8b2e9eedc540 RDI: ffff8b2adf6e0000
+RBP: ffff8b2ed1f9bad8 R08: 0000000000000000 R09: ffffffffc0b04a06
+R10: ffff8b331c890190 R11: ffffe6ed00bf1840 R12: ffff8b3315480000
+R13: ffff8b33154800f0 R14: 00000000fffffff2 R15: ffff8b2e9eedc540
+FS: 00007f035ac47740(0000) GS:ffff8b331e100000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000008 CR3: 0000000c03fe6000 CR4: 00000000001607e0
+Call Trace:
+ [<ffffffffc0b0570d>] user_sdma_send_pkts+0xdcd/0x1990 [hfi1]
+ [<ffffffff9fe75fb0>] ? gup_pud_range+0x140/0x290
+ [<ffffffffc0ad3105>] ? hfi1_mmu_rb_insert+0x155/0x1b0 [hfi1]
+ [<ffffffffc0b0777b>] hfi1_user_sdma_process_request+0xc5b/0x11b0 [hfi1]
+ [<ffffffffc0ac193a>] hfi1_aio_write+0xba/0x110 [hfi1]
+ [<ffffffffa001a2bb>] do_sync_readv_writev+0x7b/0xd0
+ [<ffffffffa001bede>] do_readv_writev+0xce/0x260
+ [<ffffffffa022b089>] ? tty_ldisc_deref+0x19/0x20
+ [<ffffffffa02268c0>] ? n_tty_ioctl+0xe0/0xe0
+ [<ffffffffa001c105>] vfs_writev+0x35/0x60
+ [<ffffffffa001c2bf>] SyS_writev+0x7f/0x110
+ [<ffffffffa051f7d5>] system_call_fastpath+0x1c/0x21
+Code: 06 49 c7 47 18 00 00 00 00 0f 87 89 01 00 00 5b 41 5c 41 5d 41 5e 41 5f
+5d c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b 4e 10 48 89 fb <48> 8b 51 08 49 89 d4
+83 e2 0c 41 81 e4 00 e0 00 00 48 c1 ea 02
+RIP [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0 [hfi1]
+ RSP <ffff8b2ed1f9bab0>
+CR2: 0000000000000008
+
+There are two exit points from user_sdma_send_pkts(). One (free_tx)
+merely frees the slab entry and one (free_txreq) cleans the sdma_txreq
+prior to freeing the slab entry. The free_txreq variation can only be
+called after one of the sdma_init*() variations has been called.
+
+In the panic case, the slab entry had been allocated but not inited.
+
+Fix the issue by exiting through free_tx thus avoiding sdma_clean().
+
+Cc: <stable@vger.kernel.org> # 4.9.x+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+
+---
+ drivers/infiniband/hw/hfi1/user_sdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/user_sdma.c
++++ b/drivers/infiniband/hw/hfi1/user_sdma.c
+@@ -828,7 +828,7 @@ static int user_sdma_send_pkts(struct us
+ if (ACCESS_ONCE(iovec->offset) == iovec->iov.iov_len) {
+ if (++req->iov_idx == req->data_iovs) {
+ ret = -EFAULT;
+- goto free_txreq;
++ goto free_tx;
+ }
+ iovec = &req->iovs[req->iov_idx];
+ WARN_ON(iovec->offset);
--- /dev/null
+From ee92efe41cf358f4b99e73509f2bfd4733609f26 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 17 Sep 2018 18:10:05 -0700
+Subject: IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit ee92efe41cf358f4b99e73509f2bfd4733609f26 upstream.
+
+Use different loop variables for the inner and outer loop. This avoids
+that an infinite loop occurs if there are more RDMA channels than
+target->req_ring_size.
+
+Fixes: d92c0da71a35 ("IB/srp: Add multichannel support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -2669,7 +2669,7 @@ static int srp_reset_device(struct scsi_
+ {
+ struct srp_target_port *target = host_to_target(scmnd->device->host);
+ struct srp_rdma_ch *ch;
+- int i;
++ int i, j;
+ u8 status;
+
+ shost_printk(KERN_ERR, target->scsi_host, "SRP reset_device called\n");
+@@ -2683,8 +2683,8 @@ static int srp_reset_device(struct scsi_
+
+ for (i = 0; i < target->ch_count; i++) {
+ ch = &target->ch[i];
+- for (i = 0; i < target->req_ring_size; ++i) {
+- struct srp_request *req = &ch->req_ring[i];
++ for (j = 0; j < target->req_ring_size; ++j) {
++ struct srp_request *req = &ch->req_ring[j];
+
+ srp_finish_req(ch, req, scmnd->device, DID_RESET << 16);
+ }
--- /dev/null
+From 91a97507323e1ad4bfc10f4a5922e67cdaf8b3cd Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Tue, 18 Sep 2018 09:32:22 -0700
+Subject: Input: elantech - enable middle button of touchpad on ThinkPad P72
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit 91a97507323e1ad4bfc10f4a5922e67cdaf8b3cd upstream.
+
+Adding 2 new touchpad IDs to support middle button support.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1180,6 +1180,8 @@ static const struct dmi_system_id elante
+ static const char * const middle_button_pnp_ids[] = {
+ "LEN2131", /* ThinkPad P52 w/ NFC */
+ "LEN2132", /* ThinkPad P52 */
++ "LEN2133", /* ThinkPad P72 w/ NFC */
++ "LEN2134", /* ThinkPad P72 */
+ NULL
+ };
+
--- /dev/null
+From 67e3816842fe6414d629c7515b955952ec40c7d7 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Fri, 31 Aug 2018 07:16:03 -0700
+Subject: RDMA/uverbs: Atomically flush and mark closed the comp event queue
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit 67e3816842fe6414d629c7515b955952ec40c7d7 upstream.
+
+Currently a uverbs completion event queue is flushed of events in
+ib_uverbs_comp_event_close() with the queue spinlock held and then
+released. Yet setting ev_queue->is_closed is not set until later in
+uverbs_hot_unplug_completion_event_file().
+
+In between the time ib_uverbs_comp_event_close() releases the lock and
+uverbs_hot_unplug_completion_event_file() acquires the lock, a completion
+event can arrive and be inserted into the event queue by
+ib_uverbs_comp_handler().
+
+This can cause a "double add" list_add warning or crash depending on the
+kernel configuration, or a memory leak because the event is never dequeued
+since the queue is already closed down.
+
+So add setting ev_queue->is_closed = 1 to ib_uverbs_comp_event_close().
+
+Cc: stable@vger.kernel.org
+Fixes: 1e7710f3f656 ("IB/core: Change completion channel to use the reworked objects schema")
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -424,6 +424,7 @@ static int ib_uverbs_comp_event_close(st
+ list_del(&entry->obj_list);
+ kfree(entry);
+ }
++ file->ev_queue.is_closed = 1;
+ spin_unlock_irq(&file->ev_queue.lock);
+
+ uverbs_close_fd(filp);
--- /dev/null
+From e871db8d78df1c411032cbb3acfdf8930509360e Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Tue, 11 Sep 2018 10:00:44 +0200
+Subject: Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit e871db8d78df1c411032cbb3acfdf8930509360e upstream.
+
+This reverts commit 6e22e3af7bb3a7b9dc53cb4687659f6e63fca427.
+
+The bug the patch describes to, has been already fixed in commit
+2df6948428542 ("USB: cdc-wdm: don't enable interrupts in USB-giveback")
+so need to this, revert it.
+
+Fixes: 6e22e3af7bb3 ("usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-wdm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -457,7 +457,7 @@ static int service_outstanding_interrupt
+
+ set_bit(WDM_RESPONDING, &desc->flags);
+ spin_unlock_irq(&desc->iuspin);
+- rv = usb_submit_urb(desc->response, GFP_ATOMIC);
++ rv = usb_submit_urb(desc->response, GFP_KERNEL);
+ spin_lock_irq(&desc->iuspin);
+ if (rv) {
+ dev_err(&desc->intf->dev,
usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch
slub-make-cpu_partial-unsigned-int.patch
media-uvcvideo-support-realtek-s-uvc-1.5-device.patch
+usb-usbdevfs-sanitize-flags-more.patch
+usb-usbdevfs-restore-warning-for-nonsensical-flags.patch
+revert-usb-cdc-wdm-fix-a-sleep-in-atomic-context-bug-in-service_outstanding_interrupt.patch
+usb-remove-lpm-management-from-usb_driver_claim_interface.patch
+input-elantech-enable-middle-button-of-touchpad-on-thinkpad-p72.patch
+ib-srp-avoid-that-sg_reset-d-srp_device-triggers-an-infinite-loop.patch
+ib-hfi1-fix-sl-array-bounds-check.patch
+ib-hfi1-invalid-user-input-can-result-in-crash.patch
+ib-hfi1-fix-context-recovery-when-pbc-has-an-unsupportedvl.patch
+rdma-uverbs-atomically-flush-and-mark-closed-the-comp-event-queue.patch
--- /dev/null
+From c183813fcee44a249339b7c46e1ad271ca1870aa Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 13:58:51 -0400
+Subject: USB: remove LPM management from usb_driver_claim_interface()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit c183813fcee44a249339b7c46e1ad271ca1870aa upstream.
+
+usb_driver_claim_interface() disables and re-enables Link Power
+Management, but it shouldn't do either one, for the reasons listed
+below. This patch removes the two LPM-related function calls from the
+routine.
+
+The reason for disabling LPM in the analogous function
+usb_probe_interface() is so that drivers won't have to deal with
+unwanted LPM transitions in their probe routine. But
+usb_driver_claim_interface() doesn't call the driver's probe routine
+(or any other callbacks), so that reason doesn't apply here.
+
+Furthermore, no driver other than usbfs will ever call
+usb_driver_claim_interface() unless it is already bound to another
+interface in the same device, which means disabling LPM here would be
+redundant. usbfs doesn't interact with LPM at all.
+
+Lastly, the error return from usb_unlocked_disable_lpm() isn't handled
+properly; the code doesn't clean up its earlier actions before
+returning.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 8306095fd2c1 ("USB: Disable USB 3.0 LPM in critical sections.")
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -512,7 +512,6 @@ int usb_driver_claim_interface(struct us
+ struct device *dev;
+ struct usb_device *udev;
+ int retval = 0;
+- int lpm_disable_error = -ENODEV;
+
+ if (!iface)
+ return -ENODEV;
+@@ -533,16 +532,6 @@ int usb_driver_claim_interface(struct us
+
+ iface->condition = USB_INTERFACE_BOUND;
+
+- /* See the comment about disabling LPM in usb_probe_interface(). */
+- if (driver->disable_hub_initiated_lpm) {
+- lpm_disable_error = usb_unlocked_disable_lpm(udev);
+- if (lpm_disable_error) {
+- dev_err(&iface->dev, "%s Failed to disable LPM for driver %s\n.",
+- __func__, driver->name);
+- return -ENOMEM;
+- }
+- }
+-
+ /* Claimed interfaces are initially inactive (suspended) and
+ * runtime-PM-enabled, but only if the driver has autosuspend
+ * support. Otherwise they are marked active, to prevent the
+@@ -561,10 +550,6 @@ int usb_driver_claim_interface(struct us
+ if (device_is_registered(dev))
+ retval = device_bind_driver(dev);
+
+- /* Attempt to re-enable USB3 LPM, if the disable was successful. */
+- if (!lpm_disable_error)
+- usb_unlocked_enable_lpm(udev);
+-
+ if (retval) {
+ dev->driver = NULL;
+ usb_set_intfdata(iface, NULL);
--- /dev/null
+From 81e0403b26d94360abd1f6a57311337973bc82cd Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 5 Sep 2018 12:07:03 +0200
+Subject: USB: usbdevfs: restore warning for nonsensical flags
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 81e0403b26d94360abd1f6a57311337973bc82cd upstream.
+
+If we filter flags before they reach the core we need to generate our
+own warnings.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: 0cb54a3e47cb ("USB: debugging code shouldn't alter control flow")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1715,6 +1715,11 @@ static int proc_do_submiturb(struct usb_
+ u |= URB_NO_INTERRUPT;
+ as->urb->transfer_flags = u;
+
++ if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
++ dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
++ if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
++ dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
++
+ as->urb->transfer_buffer_length = uurb->buffer_length;
+ as->urb->setup_packet = (unsigned char *)dr;
+ dr = NULL;
--- /dev/null
+From 7a68d9fb851012829c29e770621905529bd9490b Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 5 Sep 2018 12:07:02 +0200
+Subject: USB: usbdevfs: sanitize flags more
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 7a68d9fb851012829c29e770621905529bd9490b upstream.
+
+Requesting a ZERO_PACKET or not is sensible only for output.
+In the input direction the device decides.
+Likewise accepting short packets makes sense only for input.
+
+This allows operation with panic_on_warn without opening up
+a local DOS.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com
+Fixes: 0cb54a3e47cb ("USB: debugging code shouldn't alter control flow")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1451,10 +1451,13 @@ static int proc_do_submiturb(struct usb_
+ struct async *as = NULL;
+ struct usb_ctrlrequest *dr = NULL;
+ unsigned int u, totlen, isofrmlen;
+- int i, ret, is_in, num_sgs = 0, ifnum = -1;
++ int i, ret, num_sgs = 0, ifnum = -1;
+ int number_of_packets = 0;
+ unsigned int stream_id = 0;
+ void *buf;
++ bool is_in;
++ bool allow_short = false;
++ bool allow_zero = false;
+ unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK |
+ USBDEVFS_URB_BULK_CONTINUATION |
+ USBDEVFS_URB_NO_FSBR |
+@@ -1488,6 +1491,8 @@ static int proc_do_submiturb(struct usb_
+ u = 0;
+ switch (uurb->type) {
+ case USBDEVFS_URB_TYPE_CONTROL:
++ if (is_in)
++ allow_short = true;
+ if (!usb_endpoint_xfer_control(&ep->desc))
+ return -EINVAL;
+ /* min 8 byte setup packet */
+@@ -1528,6 +1533,10 @@ static int proc_do_submiturb(struct usb_
+ break;
+
+ case USBDEVFS_URB_TYPE_BULK:
++ if (!is_in)
++ allow_zero = true;
++ else
++ allow_short = true;
+ switch (usb_endpoint_type(&ep->desc)) {
+ case USB_ENDPOINT_XFER_CONTROL:
+ case USB_ENDPOINT_XFER_ISOC:
+@@ -1548,6 +1557,10 @@ static int proc_do_submiturb(struct usb_
+ if (!usb_endpoint_xfer_int(&ep->desc))
+ return -EINVAL;
+ interrupt_urb:
++ if (!is_in)
++ allow_zero = true;
++ else
++ allow_short = true;
+ break;
+
+ case USBDEVFS_URB_TYPE_ISO:
+@@ -1692,11 +1705,11 @@ static int proc_do_submiturb(struct usb_
+ u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
+ if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
+ u |= URB_ISO_ASAP;
+- if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)
++ if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
+ u |= URB_SHORT_NOT_OK;
+ if (uurb->flags & USBDEVFS_URB_NO_FSBR)
+ u |= URB_NO_FSBR;
+- if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
++ if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
+ u |= URB_ZERO_PACKET;
+ if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
+ u |= URB_NO_INTERRUPT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
